In case you haven't been following the news, a United States federal judge for the Northern District of Illinois recently issued a proposed order that instructs ICANN to place a hold on the domain name of The Spamhaus Project, a nonprofit firm based in England. The international political ramifications of such an order, should it be enforced, are obviously quite severe and are the cause of much valid concern. But while the judge is stretching the bounds of reason and temperance with this order,
In case you haven't been following the news, a United States federal judge for the Northern District of Illinois recently issued a proposed order that instructs ICANN to place a hold on the domain name of The Spamhaus Project, a nonprofit firm based in England. The international political ramifications of such an order, should it be enforced, are obviously quite severe and are the cause of much valid concern. But while the judge is stretching the bounds of reason and temperance with this order, he also left an "out" for Spamhaus, which the organization blithely chose not to take. If we are to avoid an international incident here, Spamhaus is probably the one that should blink.Spamhaus is an international volunteer organization whose members contribute to lists of known bad e-mail senders, such as the "SBL" (a simple list of known active spam sources) and the "XBL" (a list of known active exploit sources, including virus and phish senders). By using the SBL and/or XBL lists, administrators can filter or penalize known bad e-mail before it ever hits the users' inboxes (disclaimer: I use the SBL+XBL lists here, to great effect).
Separately, Spamhaus also maintains a database called "ROKSO," which is a list of the 200 most egregious full-time spam operators. The IP addresses of ROKSO "members" are automatically added to the SBL.
In June of this year, David Linhardt filed suit against Spamhaus in Cook County, Illinois, alleging that he was included in the Spamhaus ROKSO list and that his business was negatively affected as a result of that inclusion. A temporary restraining order against Spamhaus was subsequently issued [PDF], which required Spamhaus to delist Mr. Linhardt from ROKSO pending trial (note that Spamhaus says Mr. Linhardt is not and has never been listed in ROKSO).
The case was subsequently refiled with the Northern District of Illinois, but Spamhaus chose not to present argument in that court. As a matter of inevitability, a default judgment against Spamhaus was handed down on September 13th, awarding damages and legal fees to Mr. Linhardt and demanding that Spamhaus delist Mr. Linhardt from all Spamhaus lists, cease interfering with delivery of his e-mail messages, and more [PDF].
Spamhaus maintains that the court has no jurisdiction over Spamhaus since it has no operations in the U.S., so it simply chose to ignore the injunction. As others have argued, this is a remarkably bad decision on its part, given that the judgment will likely follow Spamhaus and its principals in perpetuity, with possibly severe implications. Worse, its belligerence has angered the judge, who has since issued a proposed order [PDF] to ICANN demanding that the Spamhaus.org domain name be delisted from the ORG registry.
Although ICANN is trying to avoid this by pleading that it doesn't have the means or authority to impose such a sanction, the fact of the matter is that ICANN can be made to implement just such a patch if it comes down to it. ICANN is a U.S.-based contractor for the U.S. Department of Commerce, and both those organizations are subject to the U.S. federal judiciary, so implementation is just a matter of time and not a question of authority. This point also seems to be lost on Steve Linford, chief executive of Spamhaus, who writes, "We believe a government agency would have to step in before it happened." Sorry, Steve, the judicial branch is independent in the United States, and no U.S. government agency has the power to "step in," regardless of how much they would like to.
Thankfully, this is just a "proposed order" right now and isn't yet a real order, so we may yet be able to reach some sort of peaceful outcome here (presumably this is the reason why the judge is brandishing the threat, instead of simply forcing the matter outright). I believe the judge has even delivered an out, which Spamhaus can take, if it would merely show up in court and present the argument.
In particular, the original default injunctive order states that Spamhaus must not interfere with Mr. Linhardt's e-mail messages "...unless Spamhaus can demonstrate by clear and convincing evidence that Plaintiffs have violated relevant United States law." Well, that should be easy enough--there are millions of people who have received his spam, and it seems to be in violation of the CAN-SPAM act as I know it (and the judge might know it, too). Once demonstrated, the injunction would be partially lifted automatically. Better yet, affected parties could then pursue damages against Mr. Linhardt of their own, thus forcing him to back down.
The problem here is that Spamhaus isn't subject to U.S. jurisdiction (as it has argued itself) and so isn't eligible for relief under the CAN-SPAM act, either. Instead, it needs a U.S.-based partner to pursue this angle on its behalf. Worse, due to the way that the CAN-SPAM act is written, only certain parties can sue for damages, which further limits the pool of potential partners. However, many of the organizations that are eligible for relief are also some of Spamhaus' biggest beneficiaries (namely the ISPs that rely most on its filters), and so there should be a natural pool of willing partners for Spamhaus to choose from.
All told, Spamhaus should delist Mr. Linhardt's address and otherwise comply with as much of the injunction as possible, while simultaneously pursuing counterclaims by way of partners. The Spamhaus project is far too valuable to lose, and we also need to avoid an international showdown over whose laws will govern the DNS. It seems that the judge has presented a solution, and it would benefit almost all parties for ego to be set aside and the problem resolved through the legal channels.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.