Lawsuit threat against RBL users

Karl Denninger <karl@Denninger.Net> writes:

Karl Denninger <karl@Denninger.Net> writes:
>The collusive aspect of this is downright scary, especially when coupled
>with threats of depeering, active denial of service attacks, etc.

Let's put two scenarios forwards.
In the first case, there is clearly a connection between the
spamming and the website that gets RBLed; it was directly advertised
by the spams. That direct link is sufficient under current RBL rules
and meets my definition of terminatable customer.
In the second case, one of the sites meets the above definition,
but the sites at U and V (which may be for completely unrelated
subsidiaries or groups within B) don't necessarily. This might
begin to approach an illegal blacklist.
The question is, are any cases similar to scenario 2 actually happening?
As far as I know, no. Companies that have many websites that are having
all their ISPs pressed to nuke them generally are spamming to advertise
most or all of them, not just one or a few.

Ok, let's put another scenario out there, one which IS somewhat likely:
Company A has a web site hosted at ISP Z, and a bunch of throw-away dial-up
accounts on ISPs P, Q, R and S. They spam through P, Q, R and S, advertising
the site hosted at ISP Z and giving a "freemail" (ie: hotmail, juno, etc)
reply EMAIL address. All four of those dial providers cut *THE SPAMMER*
The spammed people also complain to ISP Z, and ISP Z tells the complainers
to stuff it, because (1) there is no PROOF that Company "A" actually did
the spamming, and (2) no offensive data was emitted by ISP Zs machines.
ISP Z gets RBLd, even though *ISP Z* was not a party to the spamming,
and ISP Z *never touched or emitted the spam*. Worse, what gets RBLd
is ISP Zs mail server, which (if Company A is web hosting there ONLY)
was not only uninvolved, but is irrelavent to the offense (since ISP Z
only sold Company "A" web service).
ISP Z has just had its business policies dictated by unrelated people and
NOT because they committed (either directly or through a customer acting
on their system) an offense - further, OTHER customers of ISP Z (who buy
mail service from them) have been harmed, even though (1) ISP Z wasn't
involved in the infraction, (2) Company "A" didn't do anything objectionable
*ON* ISP Z, or THROUGH ISP Zs equipment, and (3) the sanction is not in any
way related to the offense (ISP Zs mail service is damaged, although their
mail server was not abused, and in fact Company A doesn't get their mail
through ISP Z).

While your scenario is a distinct possible problem with a RBL-like
list, I don't think it's possible under the existing RBL rules and
procedures that exist.

[Please keep in mind in the following that I am not an RBL volounteer,
so I may be getting details wrong... Dave and Paul are on nanog and
can correct anything I misstate, though, I assume]

RBL policy is that they won't block anything more general than
is warranted by particular spam complaints and the subsequent
actions in response to those complaints or to a pattern of complaints.
For example, a bunch of complaints come in reporting that various
dialups spammed ads for, a masochist oriented porn site,
which is hosted on an IP address which is part of .
The proper procedure is that people complaining to RBL have to
have contacted and not gotten appropriate responses.
RBL people will (always?) contact for a final warning
and status check prior to the block, and will only block
the /32 corresponding to's actual IP address.
Thus, no customer other than biteme will be inconvenienced.

What begins to approach your scenario is the situation where has had a really significant number of customers
who did the same thing and refused to act appropriately about
any of them. At that point, (that point being defined somewht
nebulously here, but bear with me), it changes from an innocent
ISP scenario to one where the ISP is acting as a knowledgeable
and culpable host to multiple spamming sites. At that point,
the ISP may be acted against as a whole, under current RBL rules.
But not before.

So yes, under (as I understand them) existing RBL rules, it is possible
for purely innocent parties to get bitten (other non-spam related
customers of if the ISP fails to respond properly
for a significant length of time and number of incidents.
I feel that's fair; if the ISP becomes the problem, then they
should feel some heat. As long as the criteria for the ISp
being RBled as a whole are sufficiently demanding so ISPs that
are merely slow or not-entirely-cooperative don't get unnecessarily
RBLed, that makes sense to me.

-george william herbert I neither speak for nor work for CRL at this time.

RBL policy is that they won't block anything more general than
is warranted by particular spam complaints and the subsequent
actions in response to those complaints or to a pattern of complaints.
For example, a bunch of complaints come in reporting that various
dialups spammed ads for, a masochist oriented porn site,
which is hosted on an IP address which is part of .
The proper procedure is that people complaining to RBL have to
have contacted and not gotten appropriate responses.
RBL people will (always?) contact for a final warning
and status check prior to the block, and will only block
the /32 corresponding to's actual IP address.
Thus, no customer other than biteme will be inconvenienced.

That does nothing at all, since the only listener on's
address is a web server.

So yes, under (as I understand them) existing RBL rules, it is possible
for purely innocent parties to get bitten (other non-spam related
customers of if the ISP fails to respond properly
for a significant length of time and number of incidents.
I feel that's fair; if the ISP becomes the problem, then they
should feel some heat. As long as the criteria for the ISp
being RBled as a whole are sufficiently demanding so ISPs that
are merely slow or not-entirely-cooperative don't get unnecessarily
RBLed, that makes sense to me.

That's not the scenario that was postulated and led to the latest threat.