Blackhole lists offer dark prospects
By Bret A Fausett
Most of the email I receive these days is spam, yet I've never purchased
anything advertised in a piece of unsolicited commercial email. I'm not even sure
that I've ever clicked on a link sent to me in a piece of unsolicited commercial
I haven't found any good method of blocking spam. Fortunately, I have a
broadband connection, so things aren't as bad as they could be. But whenever
I travel and find myself connecting via modem, I'm constantly frustrated by the
significant amount of time I have to spend downloading junk mail, which is
sometimes billed at exorbitant hotel or foreign telephone rates. So you'd think
that I'd be somewhat sympathetic to the efforts of groups that create blackhole
For those of you unfamiliar with a blackhole list, it's a list that's typically
maintained by volunteer antispam advocates. It contains the IP addresses and
domain names of certain mail servers allegedly used to send unsolicited email
messages en masse. When an Internet service provider subscribes to one or
more of the blackhole lists, any inbound email to its service originating from a
mail server on the lists is automatically rejected. The subscriber to a blackhole
list doesn't filter based on the actual content of the email, just its place of
origin, which makes this practice a fairly crude tool. It blocks all messages from
specific locations regardless of content.
Anyone who finds his or her mail server erroneously listed on a blackhole list
can usually get off the list by establishing that he or she has remedied
whatever server insecurity spammers exploited. At least that's how it works in
I don't run an insecure mail server, but mine recently found its way onto a
blackhole list. I've tried to get off the list, but to no avail. I've become just
another victim of vigilante justice on the Internet.
The Wrong Guy
One day back in March, I tried to send a friend of mine an email. It bounced. The
mail server that rejected my message sent a polite note back explaining that
the address of my mail server was now listed on its ISP's blackhole list.
Over the next two weeks, the circle of people to whom I could send email
started to shrink. Soon, even my father's email address was off-limits to me.
The primary way to get on a blackhole list is to run an open relay. For various
reasons having to do with access to networks and efforts to conceal their
identities, senders of mass unsolicited email predominantly exploit such relays.
An open relay accepts mail from anyone in the world and relays it to whomever
is listed in the address. Most mail servers aren't open relays. They accept mail
only from subscribers to that network's services, or from a set of persons
specifically identified on the server. In spite of grass roots efforts to close the
open relays, there are still more than a few of them out there.
My mail server, however, was not an open relay. I have no idea who first
submitted my name to a blackhole list operator in Denmark, but sometime in
March of this year the operator added my mail server to its list. The first time
the service was used to reject a piece of my mail, the rejection came
accompanied by an explanation of why I was on the list and what I could do to
be removed from it. The explanation was that I was running an open relay. How
could I get off the list? That was simple, the message said. Close the open
relay, and send a message to the operator's server asking to be re-scanned.
Of course, as I mentioned, my mail server was never an open relay in the first
place. So in response to the rejection message I received, I asked the blackhole
list service if it would kindly re-scan my mail server and make another
determination as to whether it was an open relay. I was sure that there had
been some mistake and that on a second try, it would realize the error in its
initial judgment. Shortly after I submitted my request, I sat down to monitor my
mail logs. This time I saw the service in Denmark address my mail server. I
watched my mail server accept the message and then pass the piece of email
back to the Danish mail server. The Danish server promptly sent a message
saying that my server was still operating as an open relay.
How had it gained access to my mail server? Simple. It had forged the headers
on its email to convince my mail server that the email it sent was from a
permitted user. You see, my mail servers were set up to pass mail only from a
domain name of which I am the only user. It blocks everything else. That's not
an open relay. Unless you're a user in my domain, you can't use it.
The group based in Denmark had pretended to be me, forged an email as
though it had come from an address that only I am authorized to use, passed it
through the mail server in my house, and then placed me on a list of people
who should be blocked from sending mail. They circulated that list around the
world. ISPs used by my friends and family here the United States subscribed to
this list. Now, through no fault of my own—and in fact because of the trickery of
Danish email activists—I was no longer able to send email to many people in my
It's hard to describe how angry this made me. The Danish consortium had lied
about their identity, and I was paying for it.
The worst thing about being blacklisted, however, wasn't that I could no longer
send email, but that spammers began actively trying to use my mail server to
send their spam. You see, blackhole lists work both ways. ISPs use it to block
traffic, but as I've recently discovered, the spammers themselves use the lists
as a kind of directory of servers to use for sending their mail.
If you look at my mail server logs, you'll see that every few seconds or so,
someone, somewhere tries to access my mail server and use it to send mail.
Each time, without fail, my mail server declines the request and refuses to relay
the requested message. It isn't an open relay. It's just doing its job. But my
machine is bombarded with requests from all over the world from spammers
seeking to use its minimal capabilities to send their penis enlarging, breast
enhancing, get-rich-quick messages.
But, hey, I'm a lawyer, right? I'm supposed to be able to solve this kind of
dilemma. And there are a few things I could do.
For one, the Danish antispam organization falsified an email header to gain
access to my mail server. Illegal access to a computer system is, if not a criminal
violation, then a trespass on my private property. As I've discussed previously
in this space, one of the novel legal theories now catching on for these kinds of
unacceptable accesses to computer systems is a centuries-old tort called
"trespass to chattels." At a minimum, I ought to be able to sue the Danish
company for the damage it caused me from its illegal access.
Granted, the damage caused by my inability to send an email is likely not
terribly significant. You can always pick up the phone, print the message out,
and fax it or mail itÉor just use a different mail server. But in spite of all that, I
could probably get an injunction, or least a dollar or two to compensate me for
my injuries and establish that I have been wronged.
The problem, of course, is that the loose organization of individuals who
compiled the blackhole list is based in Denmark. Who knows whether the
organization is a real legal entity or just some name cooked up by a group of
self righteous individuals. However, they do have a domain name, and an IP
address, and they circulate their work to ISPs around the world. In other words,
there is a group for me to sue. But taking legal action on foreign entities is
difficult. I would have to translate my legal documents into Danish. I would have
to hire someone in Denmark to personally deliver these translated documents
to the entity that I would be suing. That costs time and money.
But I could sue them here in Los Angeles, California, that much I know. By
sending their forged email through my mail server, which is located in my den in
Los Angeles, they fulfilled certain California legal requirements that would let me
sue them here. The connection to Los Angeles is also bolstered by the fact that
I live here and my injury was suffered here.
Of course, all of this is starting to sound like the kind of hypothetical legal
conundrum that you might find on a law school exam. Problems like mine often
remain hypothetical because the expense of bringing them to trial is so great,
and the ability to gain any monetary relief from lawsuits is minimal. That's why
the black hole providers have been able to get away with their vigilante justice
for so long. For any individual user wronged by their efforts—and from what I
understand, there are a lot of people in similar situations—the costs of pursuing
these organizations, which are often located overseas, is too great. These
groups of volunteer organizations have no assets to speak of—they are
volunteers after all—and plaintiffs' lawyers are hesitant to take a case without
the prospect of a lucrative damages judgment.
Before you think that this is all just about me and the fact that my father no
longer receives any email from me, there are bigger policy implications for
private individuals and companies that take steps to block connectivity. Much
I've long championed the idea that the Internet should remain largely
unregulated by governments. But at the same time, any private operator at an
end point in the Internet's architecture can restrict the flow of content to a user.
What's wonderful about the Internet is that it enables end-to-end
communication from anywhere in the world to anywhere in the world. For all of
the problems caused by spam, email is still the most widely used application on
the Internet. So the idea that private parties could get ISPs to block some
people from talking to other people should be deeply troublesome.
The Danish blackhole list operators want to block access to computers that
might be used for spam, but it's easy to imagine blacklists used for less noble
purposes. For example, imagine that the RIAA compiled a list of IP addresses
which, it contended, had at some time used peer-to-peer file sharing programs.
Because these peer-to-peer systems could transmit copyrighted materials in a
way that infringes on the copyright owner's rights, the RIAA could argue, those
IP addresses should be blocked. It isn't difficult to imagine that the RIAA could
pressure a sufficient number of ISPs into subscribing to this copyright blackhole
list and blocking access to their users, or to any traffic emanating from them.
Breaking end-to-end connectivity for any application, whether email or
peer-to-peer or the Web, threatens the very thing that makes the Internet
valuable. These are matters of principle. Which reminds me— I have a lawsuit to
Bret is an intellectual property and Internet attorney with Hancock, Rothert &
Bunshoft. You can reach him at b...@lextext.com.
For Julie the hen's pathetic, with me it's weak, whereas without you it's improving shallow.
Who did Moustapha move the bush above the poor sauce?