Original URL: http://www.theregister.co.uk/2010/11/01/spamhaus_blocks_spamwise/

Spamhaus blocks fellow antispam outfit

Some whitehats more equal than others

By Dan Goodin

Posted in Security, 1st November 2010 19:00 GMT

Updated The owner of a spam-prevention website said it has been taken down following unfounded complaints from fellow anti-junkmail organization Spamhaus. Spamhaus strenuously denied the claim.

Spamwise.org owner Ian W. Rudge said the site and an unrelated property for his IT consultancy were taken down after their IP address was added to the Spamhaus Block List on October 24. He said US-based SiteGround.com, which had been hosting the sites, ultimately restored the business site but has refused to bring Spamwise back online because, it said in an email, it has been reported for “sending unsolicited email messages to a large number of recipients.”

Rudge said Spamwise aimed to alert webmasters who oversee the large number of sites that leak employee and member email addresses. Spammers routinely harvest the addresses for use in phishing and junkmail campaigns. A page on Spamwise allowed visitors to test whether a given site needlessly revealed addresses. The tool was set up to email the results only once to the webmaster, Rudge insisted.

Spamhaus CIO Richard Cox, said in an email to The Register that contrary to Rudge's claims, Spamwise didn't limit recipients of the automated emails to the actual webmaster. “His allowing random web users to initiate a scan of a website, and to cause automated mails to be sent to any addresses that were found there, is abusive,” Cox said.

Cox sent his response on Sunday, more than 48 hours after The Register asked for comment. It wasn't included in an earlier version of this article, because this reporter failed to notice that the message was caught in a spam filter.

Rudge said Spamhaus representatives told him his site was being blacklisted because the emails it generated were unsolicited. He said he explained that the emails were designed to raise awareness about a widespread practice that results in spam and that a website owner would never receive more than one. He went on to say that Spamhaus, in sending unsolicited notices to admins of unsecured SMTP email servers, does much the same thing.

“They test people's mail servers without permission, and they send a notice through the abuse address at that site,” Rudge, an Aberdeen, Scotland-based IT consultant, told The Register. “They don't ask permission to do that. That is completely unsolicited.”

He went on to say that, strictly speaking, the Spamhaus notices violate RFC 2142 because they are sent to addresses that are reserved for reports of “inappropriate public behavior” rather than security issues.

“They started saying I'm an idiot and don't understand the RFCs,” Rudge said. “I was just astounded.”

Spamhaus then stopped responding to him altogether, he said.

In his email, Cox maintained that Spamhaus's practices are fully compliant with RFC 2142.

“Spamhaus certainly does notify ISPs of issues on their network, but we adhere rigidly to the above standards: and the only mails that we send to ISPs are initiated by the manual action of an experienced analyst: with no form of scanning or automated detection involved at any stage,” he wrote. “Of course, we do have some – quite separate – automated systems, but they have never been configured to notify ISPs of issues they detect.”

Spamhaus CEO Steve Linford said in an email sent on Friday to The Reg that he had never heard of Spamwise, then added: “Jeez… I just did a Google for 'Spamwise' and found spammers sending spams to website owners to sell them a tool (Spamwise) to protect their sites. 'Fellow antispam site' my rear end :) Needless to say the domain spamwise.org is anonymous. There are many spam complaints about them.”

Rudge said the Spamwise tools have always been free. The site has performed about 20,000 tests, for which he has received just 20 complaints, suggesting a 0.1-percent complaint rate.

The dispute points up the darker side of ad hoc net police. While Spamhaus and most others work valiantly to fight malware, spam and other online menaces, they are accountable to no one and their actions are final, even as they have the ability to affect billions of people. No doubt, Spamhaus volunteers have done a lot of good over the years. But sometimes it's hard to know exactly whose interests the organization is protecting or whose set of facts are correct, as seems to be the case here. ®

This article was updated to add comments from Spamhaus.

The full text of the Spamhaus response is:

It's both difficult and disappointing to find someone who claims to be trying to prevent spam, actually ending up causing the very problem he says he wants to prevent. But, in addition to the spam sample we had received ourselves, we've checked and found that similar mails have been sent to numerous other people based solely on their own addresses being found on webpages. That falls unequivocally within the definition of "address scraping from the web" the product of which is illegal to use in many countries (including the UK and the USA). We really could not have let that continue unchecked as it was causing a lot of annoyance.

We would have much preferred to be able to offer Mr Rudge some advice on why that was a problem and how (if he wanted to notify people about this problem) he could have done so without causing so much annoyance. But in view of the general demeanour of his approach to us, we felt it unlikely that any attempts to explain the problems would have been well-received.

Had his system either validated the identity of the persons initiating the scan of a website, or limited the recipients of his automated mails to the actual webmaster - the one person that could fix the problem in each case - then we would have rather less concerns. But his allowing random web users to initiate a scan of a website, and to cause automated mails to be sent to any addresses that were found there, is abusive.

There was an added difficulty - in that Mr Rudge's claims of what his system was programmed to do, didn't match what our investigation found. The questions he asked us about "RFC2142" (which, inter alia, defines where email reports of problems should be sent) leave us uncertain just how much he does understand about general netiquette.

Spamhaus certainly does notify ISPs of issues on their network, but we adhere rigidly to the above standards: and the only mails that we send to ISPs are initiated by the manual action of an experienced analyst: with no form of scanning or automated detection involved at any stage. Of course we do have some - quite separate - automated systems, but they have never been configured to notify ISPs of issues they detect.

And, as Steve Linford pointed out earlier, we can hardly be said to have been "successfully sued" when the damages on two of the three counts in that claim were reduced to $2 on appeal - and the issue of damages on the third count is still with the Court of Appeal awaiting a decision. Few would consider recovering only $2 damages in a claim that probably cost the claimant tens of thousands of dollars to bring to court, to be a successful activity.