Spamhaus

spamhaus

The Spamhaus Project is an international organization (founded by Steve Linford in 1998) to track e-mail spammers and spam-related activity. It is named for the anti-spam jargon term coined by Linford, ‘spamhaus,’ a pseudo-German expression for an ISP or other firm which spams or willingly provides service to spammers.

Spamhaus is responsible for a number of very widely used anti-spam DNS-based Blocklists (DNSBLs) and Whitelists (DNSWLs). Many internet service providers and Internet networks use these services to reduce the amount of spam they take on. The Spamhaus blocks 80 billion spam emails per day globally on the internet (almost 1 million spams per second). Like all DNSBLs, their use is considered controversial by some.

The Spamhaus Block List (SBL) targets ‘verified spam sources (including spammers, spam gangs and spam support services).’ The SBL’s listings are partially based on the ROKSO index of ‘spam gangs.’

The Exploits Block List (XBL) targets ‘illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, and other types of trojan-horse exploits.’ That is to say, like several other DNSBLs it is a list of known open proxies and exploited computers being used to send spam and viruses. The XBL includes listings gathered by Spamhaus as well as by two contributing DNSBL operations — the Composite Blocking List (CBL) and the Not Just Another Bogus List (NJABL) lists.

The Policy Block List (PBL) is a list that serves many of the same functions of a Dialup Users List, but really it is not a DUL, a type of DNSBL which contains the IP addresses an ISP assigns to its customer on a temporary basis, often using DHCP or similar protocols. Dynamically assigned IP addresses are contrasted with static IP addresses which do not change once they have been allocated by the service provider. The PBL lists not only dynamic and DHCP type IP address space designated as ‘not allowed to make direct SMTP connections’, but static assignments that shouldn’t be sending email without prior arrangement. Examples of such are an ISP’s core routers, corporate users required by policy to send via their internal mail server, and unassigned IP addresses. Much of the data is provided to Spamhaus by the organizers (ISPs) of the IP address space.

The Domain Block List (DBL) is a list of domain names. It lists spam domains including spam payload URLs, spam sources and senders (‘right-hand side’), known spammers and spam gangs, and phish, virus and malware-related sites.

The Spamhaus White List (SWL) is a whitelist of IPv4 and IPv6 addresses. The SWL is intended to allow mail servers to separate incoming email traffic into 3 categories: Good, Bad and Unknown. Only verified legitimate senders with clean reputations are approved for whitelisting and there are strict terms to keeping a Spamhaus Whitelist account. The Domain White List (DWL) is a whitelist of domain names. The DWL enables automatic certification of domains with signatures.

The Spamhaus Register of Known Spam Operations (ROKSO) is a database of ‘hard-core spam gangs’ – spammers and spam operations who have been terminated from three or more ISPs due to spamming. The ROKSO list is not a DNSBL; it is, rather, a directory of publicly-sourced information about these persons and their business and at times criminal activities. The ROKSO database is nowadays part of the signup checking procedure of many of the major ISPs, ensuring that ROKSO-listed spammers find it difficult to get hosting. A listing on ROKSO also means that all IP addresses associated with the spammer (his other domains, sites, servers, etc.) get listed on the Spamhaus SBL as ‘under the control of a ROKSO-listed spammer’ whether there is spam coming from them or not (as a preventative measure).

There is a special version of ROKSO available to Law Enforcement Agencies (for which LEAs need to apply for access) which gives access to data on hundreds of spam gangs, with evidence, logs and information on illegal activities of these gangs, too sensitive to publish in the public part of ROKSO.

In September 2006 an American spammer named David Linhardt, operating as ‘e360 Insight LLC,’ filed suit against Spamhaus in Illinois for blacklisting his junk mailings. Spamhaus objected to the lawsuit altogether on the grounds that Spamhaus, being based in the United Kingdom, was outside the jurisdiction of United States courts. Spamhaus refused to participate in the U.S. case any further and withdrew its counsel. However, Spamhaus was deemed by the court to have ‘technically accepted jurisdiction’ by having initially responded at all, and the judge awarded e360 a default judgement totaling $11,715,000 in damages. Spamhaus subsequently announced that it would ignore the judgement because default judgements issued by U.S. courts without a trial ‘have no validity in the U.K. and cannot be enforced under the British legal system.’

Following the ruling in its favour, e360 filed a motion in Federal court to attempt to force ICANN (Internet Corporation for Assigned Names and Numbers, which manages the assignment of domain names and IP addresses) to remove the domain records of Spamhaus until the default judgement had been satisfied. This raised international issues regarding ICANN’s unusual position as an American organization with worldwide responsibility for domain names, and ICANN protested that they had neither the ability nor the authority to remove the domain records of Spamhaus, which is a UK-based company. The motion was denied by the lower court, and in 2007 the appellate court vacated the damages award.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.