Monopoly, abuse of power and selfish goals, or a helping hand in a sea of spam? Representatives from several internet companies sat down with tech journalist Lars "Ghandy" Sobiraj to discuss the controversial Spamhaus project. Adapted analysis under the cut.
Who are the Spamhaus Project
A quick web search reveals that Spamhaus is an international non-profit organization founded in 1998. However, according to former CIO (read: speaker) of the company, Richard Cox, Spamhaus is a British Limited Company. At the time of publication of the interview with Cox (2011), Spamhaus was headquartered in Geneva. However, all information about the company is contradictory, inconsistent and mysterious.
Sven Olaf von Kamphuis (hereinafter referred to as SOvK), one of the founders of Cyberbunker, speaks about Spamhaus as unflatteringly as possible. According to him, Mr. Cox has been out of work for more than 20 years, if this person even exists. The project is allegedly controlled solely by Mr Stephen John Linford and his wife Myra Peters. Also, as suggested by SOvK, non-profit organizations usually do not require representation in the Seychelles or Mauritius. The co-founder of Cyberbunker also doesn't understand why so many journalists "fall in love" with the project - the media industry is largely responsible for the problems associated with Spamhaus. All information that the project passes to technology publications is usually published without any verification, continues SOvK.
Spamhaus Project Twitter account, almost 4000 followers
Judge and executioner rolled into one without any legal authority to do so
What immediately catches the eye is that no matter how significant and reasonable the function of the company may seem, the Spamhaus project has no legal basis for their activities. In addition, their activities have never been officially authorized by the state or the competent authorities: SOvK focuses on the fact that Spamhaus is not even a member of RIPE (Réseaux IP Européens - the European regulator that deals with the registration and distribution of resources on the Web). However, the outside world is under the impression that Spamhaus is a kind of "internet police" while, Campuis points out, the company itself "needs some police attention." He also says that the publication of many data on the Spamhaus website is illegal and violates data protection rights. The publication of all information about spammers in the project should be prohibited. The problem, according to SOvK, is the publication of personal data in the Register Of Known Spam Operations (ROKSO). This data must be protected like other personal information, not to mention that the contents of the Spamhaus databases could not always be obtained legally.
Position of Roskomndazor on Spamhaus in RussiaBy the way, about the legality of the project. From with explanations about Spamhaus from Roskomnadzor, it follows that their activities in the Russian Federation are illegal:
With the exception of entering the site into the Register on the basis of the Law on Information, a court decision or the specifics of an agreement with a subscriber (user) of telematic communication services for other reasons to restrict access to the site (network) (including at the request of Spamhaus), carrier does not have one.
In the event that the telecom operator unlawfully restricts access to the site (network) to the subscriber (user) of telematic communication services, the operator's actions will contain signs of a violation of the contract with the subscriber.
How it was: Cyberbunker against the "Internet police"
In 2013, the conflict between underground web hosting Cyberbunker and Spamhaus escalated. Spamhaus, then based in Switzerland, placed Cyberbunker on its blacklist due to the questionable activities of its clients and made it public. This was followed by one of the largest DDoS attacks in the history of the Internet: Spamhaus.org was bombarded with digital garbage at a rate of 75 Gbps. Because of its scope, the attack is said to have weakened global web traffic for a short time. In April 2013, the alleged perpetrator, SOvK, who was living in Spain at the time, received a visit from the local police. The computers, storage media and mobile phones of the man, identified by the prosecutor as Mr. K., were confiscated.
Spamhaus project - a book with seven seals
Regardless of the Cyberbunker case, we tried to find out what the Spamhaus project really is, as it's not clear from the information on their own site. To date, requests sent to the press address have not received any response since the end of January 2020. Mr. Campuis claims that Spamhaus had the only non-profit limited company mentioned earlier, but it was delisted in early 2020. The rest of the companies had no charitable goals. Upstream provider and backbone operator, SquareFlow, is suing Spamhaus. SquareFlow offers services similar to Cogent, HE, GTT, LibertyGlobal and others by hosting VPN services. Two SquareFlow Group executives responded to our inquiry on March 1, 2020:
We cannot afford to arbitrarily terminate a client, deny all services based solely on Spamhaus deeming them to be bad. Under net neutrality conditions, we cannot determine whether traffic is malicious or not without performing deep packet analysis, which, however, will seriously damage the privacy of our customers and their users. We are guided by the law, and not by the opinion of a third-party company that wants to dictate to the entire Internet who is allowed to work on the network and who is not. At this time, we have no evidence, no court order, or other reason to believe that our clients are engaging in malicious activity.
Due to the fact that we did not cooperate with Spamhaus, they made several attempts to damage the reputation of our company, our suppliers and partners. Under no circumstances can we or our customers be held liable for suspicion.
Intimidate, warn, force divide
Their attempts to influence entire networks can rightly be regarded as coercion, which is a criminal act in all EU countries. There have been several instances where Spamhaus has blacklisted entire networks of ISPs for a single client, forcing them to stop serving the undesirables. We believe that data privacy and anonymity are basic human rights. As a result, we will never blindly follow the unreasonable demands of Spamhaus or any other party that tries to dictate terms. Because of their actions, we have begun to take action against their business practices.
We also support our partners in litigation against Spamhaus, as Spamhaus is still trying to force us to stop serving some customers through appeals to our partners and suppliers, denouncing us as criminals for not complying with their requests, which is clearly an abuse of power. We hypothesize that their move to Andorra is due to their criminal behavior, which clashed with the British legal system.
Sincerely.
SquareFlow Group - Public Relations
On behalf of the Board of Directors: Wim B., Florian B.
Moving Spamhaus to Andorra
The Spamhaus project is now based in Andorra, a small state located in the Pyrenees, which, according to Wikipedia, is primarily known for its ski resorts, duty-free shops and tax haven status. It is important to note that Andorra is not part of the EU, relations between Andorra and the European Union are governed only by treaties.
It wasn't easy to get some information about the new organization associated with Spamhaus, but in the end I managed to find the necessary information in the EUIPO (European Union Intellectual Property Office). The EUIPO data states that a company called Spamhaus IP Holdings SLU currently owns trademark #005703401, trademark registration date February 8, 2007. The application for registration was filed by Boyes Turner LLP.
Spamhaus trademark registration details
Contacts are hidden for obvious reasons
Note from the translatorFinding something about the legal side of Spamhaus is really hard. Moreover, the information that is available on the surface is frankly not true. The only information available on the Spamhaus site itself regarding the location of the company concerns a trademark - the word "Spamhaus", which is registered in the EU.
ROKSO as a stumbling block
Apparently, the goal of the Spamhaus project was to find spammers. As already mentioned, spammer data is stored in the ROKSO database. However, given that this database is public, Spamhaus literally puts all suspects on the board of shame. Not only can you find a lot of personal data in the database, there are also messages from victims that are published without censorship. And since Spamhaus lives outside the EU, the consequences for the company from the GDPR can not be expected.
ROKSO literally keeps a record of all suspicious activity, be it real spam or a simple mistake. Thus, there is no question of any presumption of innocence. It is also not possible to quickly contact the company. Their site does not have a phone number, mail, or just a feedback form with the support service. Some fragmentary data can be obtained by carefully studying the FAQ. I tried to contact the company directly: from the end of January 2020 until the publication of the article [note: April 6 of the same year], no response was received to a single request.
Criticism of Spamhaus Blacklist (SBL) from VPN service nVPN
VPN provider nVpn criticizes the project for other reasons. The Spamhaus Blacklist (SBL) is a constantly updated database of IP addresses. Spamhaus strongly recommends not accepting e-mail from the addresses contained in the database. The company even claims that this database can be obtained in real time. The Spamhaus website states in the SBL section that the blacklist "allows mail server administrators to identify, flag, or block incoming connections from IP addresses that Spamhaus believes are associated with sending, hosting, or generating unsolicited bulk email." It also says that the SBL database is maintained by a dedicated team of investigators and forensic scientists from 10 countries who work around the clock to track down problems related to spam. However, exactly how identifying, checking, or even deleting records works internally is not explained.
nVpn always has issues with SBL records, causing hosting companies to threaten to terminate their contracts. For example, in January 2019, a representative from a hosting company in Albania told the company that their VPN servers had been taken down due to a “possible SBL hit.”
And this is not the only case. “Of course, something like this happens from time to time. Either the server is temporarily disabled due to entries in the SBL, or the companies simply cancel the contract completely. In the beginning (we specifically ask), they claim that there will be no problems with SBL, but once their entire IP range is blacklisted by Spamhaus, the situation changes. For example, this is how we lost our server in Nis, Serbia. This was just a few weeks ago. Luckily, the company provided us with a partial refund for the server rental, which was paid several months in advance. Spamhaus is really dangerous for VPN services, but we just have to live with it.
The nVPN spokesperson continues:
We provide a VPN service without registration and are one of the few who offer customers the ability to open up to eight ports (TCP and UDP). It is inevitable that some attackers will try to abuse this feature for illegal purposes. Although we expressly state in our terms of service that such use is prohibited, this does not mean that all customers adhere to the rules. As a result, some of our prefixes ended up in EDROP. But in our opinion, an EDROP entry is not the end of the world, even if it blocks a few websites or one or more streaming services.
However, it still creates problems. Suppose we rented a server somewhere and created our own /24 subnet to advertise under the hosting company's ASN or under our own. Spamhaus contacts our hoster and asks to disconnect the client, that is, us. If the ISP doesn't honor their requests because they trust us, Spamhaus starts adding clean hoster prefixes to the SBL, causing all of its other clients to be unable to send mail. Then the company has no other choice and we are disconnected so that they do not have to suffer huge financial losses.
An example of a rejection letter from a host:
Hello,
Unfortunately, we can no longer host you on our network as Spamhaus has blacklisted all of our IP addresses due to your hosting with us.
Your server will be disabled on the last day of the lease without the possibility of renewal.
Please save a backup as soon as possible and switch to a different provider.Best regards,
Vikas S.
(Director / Founder)
Skype: v **** vp *
Termination of services and refusal of further cooperation
nVpn claims to have lost a lot of servers due to uncooperative hosts in recent years. Eventually, it became difficult to find a company willing to accept them. nVpn submitted a cease and desist order to Tarnkappe.info dated July 11, 2019. The letter from the Swiss hosting provider claims that the Spamhaus project will implement "criminal enforcement" - that is, forcing the provider to refuse to provide hosting to another company under pain of litigation.
An nVpn representative commented:
Sometimes Spamhaus doesn't hesitate to contact companies and demand that they no longer route our prefixes. But not everyone agrees with this. One such company decided to sue Spamhaus Ltd in the United Kingdom, where the project's official headquarters used to be. Back then, Spamhaus couldn't use Ltd in the name.
As a result of the proceedings, Spamhaus had to move its headquarters from the UK to Andorra.
Since then, nVpn is still receiving notifications from SBL, but Spamhaus has finally stopped threatening their hosting providers. Spamhaus has also stopped responding to requests from the VPN service to delete records from the SBL, which means that numerous old records are no longer deleted and remain in the database, even if they are no longer relevant.
The VPN provider mentions that Spamhaus has helped reduce global spam in the past, which has been helpful. But over time, the project began to pull the blanket over itself, publish the personal data of those on the list and manipulate hosting companies.
Critical questions still not answered
There are still many questions about the Spamhaus project that no one wants to answer. I sent a request three weeks ago to the American spam researcher and journalist Brian Krebs, and I have not received a response. Maybe the questions were too sharp, but this is not entirely clear. Inquiries have been sent to other companies, but almost no one knows the full history of the Spamhaus project.
About the author of the original article
Lars "Gandy" Sobiraj
Lars Sobiraj started his career in 2000 as a writer for various computer magazines. He is the founder of Tarnkappe.info. Since 2014, Gandhi, as he calls himself on stage, has been teaching students at various universities and other educational institutions about how the Internet works.
From the translator
Spamhaus activities already was covered on Habré, and exclusively in a negative way. In Russia, Spamhaus hindered (and hinders) the work of both private companies and large hosting companies. In 2010, the whole Latvia was blacklisted: then, to complaints from one of the largest providers in the country, Spamhaus responded that Latvia is one of the smallest countries in the world, as if hinting. For some reason, the last posts related to Spamhouse are dated 2012-2013, although the company lives to this day, I think this unfair oblivion needs to be interrupted.
Source: habr.com