Back to Basics: Where does Spamhaus get off…
One of the more popular questions that come up deals with ISPs1 using DNSBLs2, especially Spamhaus lists. The question usually goes something like this:
Who are the operators of that list and what gives them the right to regulate commerce? Are they run by a government or something?
A Brief History of DNSBLs
The year is 1997. Spam wasn’t as bad as it would ever get, but it was increasing, and people were beginning to take notice. I got my start in email around this time after I got home one day in mid-1997 to discover 3 emails from people I knew out of 70-something emails that had arrived that day. Today, I laugh at those stats. I get a LOT more spam than that. But that’s what it took to push me over the edge.
Someone else who had decided that enough was enough was Paul Vixie. Paul was/is somewhat famous in Internet circles. He was the writer of a version of Vixie Cron. Wikipedia contributors, Cron, Wikipedia (2017), https://en.wikipedia.org/w/index.php?title=Cron&oldid=759440834#Modern_versions (last visited Jun 18, 2024). More importantly, he was a maintainer of BIND, one of the principal pieces of software used to translate domain names into IP addresses. Wikipedia contributors, BIND, Wikipedia (2017), https://en.wikipedia.org/w/index.php?title=BIND&oldid=757586626#History (last visited Jun 18, 2024).
Paul’s plan to deal with spam sources was to block all internet traffic to them. So, he created a list that would (when appropriately used) route all traffic into a “blackhole.” Thus, the RBL3 was born. People subscribed to the RBL because they trusted Paul and his judgment. A very short time after that, the list was moved from a shared list to a queryable format using the Domain Name System (for which BIND was then the primary piece of software).
Over time, other DNSBLs came into being. Some have lasted a long time but have little use. Others have become relatively widespread but lasted only a few months or years. Finally, some — like Spamhaus — have been in widespread use for a long time.
What sets them apart?
In a word, “trust.” According to The Radicati Group, in 2016, 215.3 billion messages were exchanged on the Internet every day, with that number expected to rise to 225 billion in 2017. The Radicati Group, Email Statistics Report, 2016-2020, The Radicati Group (2016), http://www.radicati.com/wp/wp-content/uploads/2016/03/Email-Statistics-Report-2016-2020-Executive-Summary.pdf (last visited Jun 18, 2024). Of course, the largest providers bear the brunt of those statistics.
Their users, though, expect to get their messages from Mom, Grandma, Aunt Helen and Uncle Jim, and from at least a few marketers about sales that they care about. If they don’t get those messages, they’ll either complain or they’ll simply change providers. When you’re in the business of providing eyeballs to advertisers, neither of those is good.
But, that’s a double-edged sword when it comes to getting data from third parties. You want someone who is aggressive enough that they will help you get rid of the really bad stuff, yet be conservative enough to not toss out grandma’s forwarded messages about the great things that her favorite politician is doing. In a word, you want someone you can trust — trust to get it right, and quickly and quietly fix things when they get it wrong.
What gives them the right?
No one does. Everyone does.
The fact is, they are trusted by their users to provide a service. That service comes in the format of data which the user can use or ignore. If the maintainer of the list gets it wrong too much of the time, is too difficult to deal with, or charges too much for their service, then they’ll be ignored and vanish into the dustbin of history. If they get it right, then they’ll grow and prosper.
They act much like organizations like Vericheck do in helping retailers decide which customers to accept checks from. The retailer can pay for that information and use it to make a decision about who it wants to do business with. The ISP can use the information from the DNSBL to make a decision about who it wants to accept mail from.
Neither of them is a government agency, but both can set terms that stop a transaction from happening.
What about standards?
Competent DNSBLs will publish their standards. Those standards will make sense. But, not all standards will be the same. Spamhaus tends to rely very heavily upon spamtraps. Spamcop tends to give lots of weight to user complaints. The standards are different, but their objective — to protect the inboxes of users — is the same. Because their objective is not to enforce the law, people need to understand that statutes and regulations will play very little role in what DNSBLs do.
- Introducing: Arcana - 22 November 2024
- Help me see if there is a need for that I can fill - 23 September 2024
- Verkada: Data Protection Issues - 19 September 2024