Lawsuit threat against RBL users

Karl Denninger <karl@Denninger.Net> writes:

The problem with this is that someone, sooner or later, is going to
take a run at people trying to set up what amounts to a set of contractual
requirements that exceed legal requirements - and then enforce them network
The collusive aspect of this is downright scary, especially when coupled
with threats of depeering, active denial of service attacks, etc.
I happen to be an "anti-spammer", but when you get to the point that you
start telling people what they have to put in their contracts as an industry,
such that if Person #1 commits an act on a *completely unrelated* system
they get their contract voided you're treading on very, very thin ice.
That looks an awful lot like an industry-wide blacklist, and those are
dangerously close to being per-se illegal.

Let's put two scenarios forwards.

Scenario 1:
Company A has a web site hosted at ISP Z, and a bunch of throwaway
dialup accounts on ISPs P, Q, R, and S. A spams ads for the web site
on ISP Z via those throwaway dialups. P, Q, R, and S kill the dialup
accounts used; people also complain to Z. If Z fails to close the
web site that was spam advertised, someone complains to RBL who
blackhole the web site server.

Scenario 2:
Company B has a set of web sites for various subsidiaries,
hosted at ISPs T, U, and V. The marketing department for the
group hosted at T spams via a bunch of dialups. People complain
and dialups get nuked; people also complain to T, U and V asking that
B be nuked. It isn't, so it gets reported to RBL and MAPS do thier
thing on the website servers at T, and also on U and V which were not
involved in the initial spam but are related to the company.

In the first case, there is clearly a connection between the
spamming and the website that gets RBLed; it was directly advertised
by the spams. That direct link is sufficient under current RBL rules
and meets my definition of terminatable customer.

In the second case, one of the sites meets the above definition,
but the sites at U and V (which may be for completely unrelated
subsidiaries or groups within B) don't necessarily. This might
begin to approach an illegal blacklist.

The question is, are any cases similar to scenario 2 actually happening?
As far as I know, no. Companies that have many websites that are having
all their ISPs pressed to nuke them generally are spamming to advertise
most or all of them, not just one or a few.

-george william herbert I speak for myself only, I am not a CRL employee

Ok, let's put another scenario out there, one which IS somewhat likely:

Company A has a web site hosted at ISP Z, and a bunch of throw-away dial-up
accounts on ISPs P, Q, R and S. They spam through P, Q, R and S, advertising
the site hosted at ISP Z and giving a "freemail" (ie: hotmail, juno, etc)
reply EMAIL address. All four of those dial providers cut *THE SPAMMER*

The spammed people also complain to ISP Z, and ISP Z tells the complainers
to stuff it, because (1) there is no PROOF that Company "A" actually did
the spamming, and (2) no offensive data was emitted by ISP Zs machines.

ISP Z gets RBLd, even though *ISP Z* was not a party to the spamming,
and ISP Z *never touched or emitted the spam*. Worse, what gets RBLd
is ISP Zs mail server, which (if Company A is web hosting there ONLY)
was not only uninvolved, but is irrelavent to the offense (since ISP Z
only sold Company "A" web service).

ISP Z has just had its business policies dictated by unrelated people and
NOT because they committed (either directly or through a customer acting
on their system) an offense - further, OTHER customers of ISP Z (who buy
mail service from them) have been harmed, even though (1) ISP Z wasn't
involved in the infraction, (2) Company "A" didn't do anything objectionable
*ON* ISP Z, or THROUGH ISP Zs equipment, and (3) the sanction is not in any
way related to the offense (ISP Zs mail service is damaged, although their
mail server was not abused, and in fact Company A doesn't get their mail
through ISP Z).

Now, ISP Z has 500 customers, inclusive of Company "A". 499 other
customers lose email connectivity to a significant number of people.

Who has the liability problem?

Now add a twist - Company "A" disavows SENDING the spam, and ISPs P, Q, R
and S refuse to disclose the identity of the terminated customer since
they have strong privacy policies.

Now what?

Now add a far worse twist - Company "A" does the spamming through an
*anonymous remailer* which destroys the logs on the transactions. Now
there is no P, Q, R or S, nor is there any way to PROVE that Company A
sourced the spam.

See, the case where ISP "P" tells MAPS to go blow is simple - the spam
was sent through ISP P, their systems were involved, there is PROOF that
the data was sourced from the offending system. Ergo, you're punishing
the offender and it might stand up in a fight.

"Third-party" blacklisting, where the offense is that someone is RESIDENT
on your system (not that they abused others FROM your system) is, IMHO,
dangerously close to the line. You're not punishing an *action*, you're
punishing someone for associating with a PERSON.

I don't like the liability posture on that at all.

The real culprit here, IMHO, is allowing no-verification, no-deposit
throw-away accounts. To support a *marketing* decision the industry
creates a *personal* blacklist?

That looks dangerous to me, but IANAL.

You are ABSOLUTELY right.

Until the "you" obtains market power.

Then you're absolutely WRONG.

That market power can be obtained by one company, or one individual.
It can also be obtained by a lot of companies and/or individuals all
doing the same thing through joint decisions, whether formally documented
or not.

I STRONGLY suggest that you, and others who beleive that you are acting
in a vacuum here, go talk to your counsel. Today. Seriously.

This kind of stuff is no laughing matter; Sherman and RICO contain
*criminal* provisions as well as civil (ie: sue your butt) ones.

Vix is right in that a simple lawsuit is probably baseless. However,
I'd be very concerned about either a Sherman or Sherman+RICO action.
The congruence of AUPs, along with the widespread adoption of them by
lots of people, gives rise to liabilities for joint actions that *do
not exist* when you act alone.