Back to Basics: Where does Spamhaus get off…

11 January 2017

One of the more popular questions that come up deals with the use of DNSBLs[1] , especially Spamhaus’ lists, by ISPs[2] . The question usually goes something like this:

Who are the operators of that list and what gives them the right to regulate commerce? Are they run by a government or something?

A Brief History of DNSBLs

The year is 1997. Spam wasn’t as bad as it would ever get, but it was on the increase and people were beginning to take notice. I got my own start in email at around this time after I got home one day in mid-1997 to discover 3 emails from people I knew out of 70-something emails that had arrived that day. Today, I laugh at those stats. I get a LOT more spam than that. But, that’s what it took to push me over the edge.

Someone else who had decided that enough-was-enough was Paul Vixie. Paul was/is somewhat of a famous person in Internet circles. He was the writer of a version of Vixie cron and, more importantly, a maintainer of BIND, one of the principal pieces of software used to translate domain names into IP addresses.

Read moreThe Spock Trap

Paul’s plan to deal with spam sources was to block all internet traffic to them. So, he created a list which would (when appropriately used) route all traffic into a “blackhole.” Thus was born the RBL[3] . People subscribed to the RBL because they trusted Paul and his judgment. A very short time after that, the list was moved from a shared list to a queryable format using the Domain Name System (for which BIND was then the primary piece of software).

Over time, other DNSBLs came into being. Some have lasted a long time but have little use. Others have come into relatively widespread use but lasted only a few months or years. Finally, some — like Spamhaus — have been in widespread use for a very long time.

What sets them apart?

In a word, “trust.” In 2016 there were 215.3 billion messages exchanged on the internet every day, according to The Radicati Group, with that number expected to rise to 225 billion in 2017. The largest providers, of course, bear the brunt of those statistics.

Read moreBad Advice

Their users, though, expect to get their messages from Mom, Grandma, Aunt Helen and Uncle Jim, and from at least a few marketers about sales that they care about. If they don’t get those messages, they’ll either complain or they’ll simply change providers. When you’re in the business of providing eyeballs to advertisers, neither of those is good.

But, that’s a double-edged sword when it comes to getting data from third parties. You want someone who is aggressive enough that they will help you get rid of the really bad stuff, yet be conservative enough to not toss out grandma’s forwarded messages about the great things that her favorite politician is doing. In a word, you want someone you can trust — trust to get it right, and quickly and quietly fix things when they get it wrong.

What gives them the right?

No one does. Everyone does.

The fact is, they are trusted by their users to provide a service. That service comes in the format of data which the user can use or ignore. If the maintainer of the list gets it wrong too much of the time, is too difficult to deal with, or charges too much for their service, then they’ll be ignored and vanish into the dustbin of history. If they get it right, then they’ll grow and prosper.

They act much like organizations like Vericheck do in helping retailers decide which customers to accept checks from. The retailer can pay for that information and use it to make a decision about who it wants to do business with. The ISP can use the information from the DNSBL to make a decision about who it wants to accept mail from.

Neither of them is a government agency, but both can set terms that stop a transaction from happening.

What about standards?

Competent DNSBLs will publish their standards. Those standards will make sense. But, not all standards will be the same. Spamhaus tends to rely very heavily upon spamtraps. Spamcop tends to give lots of weight to user complaints. The standards are different, but their objective — to protect the inboxes of users — is the same. Because their objective is not to enforce the law, people need to understand that statutes and regulations will play very little role in what DNSBLs do.

Footnotes

  1. DNS-based Blocking Lists ^
  2. Internet Service Providers ^
  3. Realtime Blackhole List ^

Bibliography

  1. (2017, Jan 11). In Wikipedia. Retrieved January 11, 2017 from https://en.wikipedia.org/w/index.php?title=Cron&oldid=759440834#Modern_versions.
  2. (2017, Jan 11). In Wikipedia. Retrieved January 11, 2017 from https://en.wikipedia.org/w/index.php?title=BIND&oldid=757586626#History.
  3. The Radicati Group (2016, Mar 2). Retrieved January 11, 2017 from http://www.radicati.com/wp/wp-content/uploads/2016/03/Email-Statistics-Report-2016-2020-Executive-Summary.pdf.