What you don't know about Spamhaus

Most Internet users get spam and most hate spam. I hate spam. The stuff clogs inboxes and Internet connections. It uses up the network bandwidth of corporations and service providers. Generally, it is offensive and obscene and can be particularly problematic if it reaches children.

The anti-spam organisations build lists of mail server IP addresses they claim are known to send spam. These lists are better known as “blacklists”. In the aim of reducing spam, most anti-spam filters are set not to deliver any mail coming from IP addresses appearing on those blacklists or if the mail contains a domain name whose IP is on those blacklists.

I see two types of anti-spam organisations. On the one hand, there are reliable organisations that provide a way out for the falsely accused, and an opportunity for the accused parties to defend themselves. On the other hand, some organisations consist of a combination of moderates who are chasing real spammers and vigilantes who chase anyone using email in a commercial enterprise.

Although it is a noble goal to rid the Internet of spammers, I intend to prove on this page that the "anti-spam" organisation called Spamhaus has gone overboard in its misdirected and overzealous efforts, and threatens to cause substantial and irreparable harm to Internet users worldwide. They mix legitimate email marketers with those that rely solely on spam. At the same time, as they harm honest enterprises, they are rapidly growing their revenues for anti-spam products and services.

According to their website, this self-appointed anti-spam organisation that does not have any official government mandate is currently "protecting" over 1.4 billion user mailboxes and it is true that their blacklists are used by most anti-spam filters around the world.

If these lists were compiled and managed in an open, transparent, and accountable manner, it would be a good thing. But they are not. Not even slightly.

Once you have read this page, you will make up your own mind about their claims.

Since Spamhaus blacklists are used by most of the anti-spam filters around the world, most people think that this organisation would be professional.

After a thorough investigation, I will discuss a few common misconceptions about this organisation. I cannot post all my findings here, since my lawyers will bring them to court, but this is a summary of my knowledge about them:

7 Misconceptions about Spamhaus

1) Spamhaus is a giant organisation headquartered in Geneva with multiple offices and a team of "forensic specialists"...

- When you send an email to the Spamhaus admin email, you get an automatic reply from the "General Administration - Geneva, Switzerland".

On their website, they display the addresses of their "Head Office" in Geneva and their London office.
Both addresses are virtual offices. This means that they do not have physical offices at these locations. They are using an address provider which provides them with a business address they can use to receive their mail. This is nothing strange and in fact, many small businesses use this approach in order to minimise costs.

They say their "Head Office" is in Geneva, but according to my lawyer, their organisation is not registered at any official registration authority either in Geneva or anywhere else in Switzerland.

- Their website states that Spamhaus has a "dedicated team of investigators and forensic specialists"...

As far as we know, Spamhaus is managed only by one person: its director and owner who works from his boat. All the other people working for Spamhaus are volunteer "investigators" based around the world.
(This was the case at least a few months ago – I was not able to verify their current status.)

This is confirmed by an article from The New York Times about Spamhaus. Here is an extract:

“As *Mr Spamhaus Director* (I am intentionally omitting his name) walks his German shepherd, Zen, across the gangway from his houseboat into his prim little garden on this small island in the Thames, he hardly looks like a man in a battle over the future of cyberspace. He has a salt-and-pepper beard and a twinkle in his blue eyes, but the effect is more former hippie than Sean Connery.

After Zen gives a good bark at the ducks, the two return to the boat, and *Mr Spamhaus Director* climbs a spiral staircase into a sunny home office with nine computer screens piled on a black desk. This is the unlikely command center for the Spamhaus Project, one of the leading groups that is trying to make the world safe from junk e-mail.”

2) Their "investigators" are professionals...

I don’t know the current Spamhaus "investigators". What I do know is that one of their former "investigators"
(or "forensic specialists" as they call them) has a criminal history longer than both arms put together.
Among other allegations, the felon has been charged for domestic violence, trespassing, battery,
"exposure of sexual organs" and the list goes on... In total, thirteen different cases have been brought against him between 1985 and 2003.
This information was taken from public records and throws doubt upon Spamhaus’s recruitment methods.
How could you call such a felon a “forensic specialist”?

I will not post the name of this particular individual in this space, as I am not in the business of naming names (at least not here). We also have a message from the Spamhaus director in which he acknowledges this individual’s position as a Spamhaus "investigator".

3) Spamhaus is a transparent organisation...

In his book "Sex.com", author Kieren McCarthy describes techniques developed by the criminal Steve Cohen to hide funds and avoid responsibility, such as multiple businesses with the same name, wholly owned subsidiary businesses, and multiple offshore businesses to hide funds. Spamhaus seems to use the same techniques. While Spamhaus is run from the UK, it was held by "Spamhaus Logistics Corp", located in Mauritius, until a few months ago. In January 2010 the government of Mauritius changed the IBC company regulations to require Mauritius-registered companies to file financial accounts. Following those new regulations, Spamhaus moved their "official company domicile" to the Seychelles, since there are no requirements to file anything there.

4) Spamhaus is a non-profit organisation...

Well that may be true, but I have some concerns that would make such a claim difficult to believe.

- I do not know a lot of non-profits operating in the UK but held by offshore subsidiaries in Mauritius or in the Seychelles.

- It is currently written black on white on the Spamhaus website (as of October 22, 2010):
"Spamhaus does not conduct any business of any kind, does not sell any service or product, and does not enter into commercial contracts of any kind."
Well, I have an invoice on which Spamhaus charged a company with a yearly subscription fee of $14 500 for access to their DNSBL Datafeed. Indeed, they charge corporate organisations and ISPs a yearly subscription fee to access their anti-spam filtering system from faster servers. When the Spamhaus director was confronted about this discrepancy, he stated that the company responsible for charging those organisations is another entity which has nothing to do with Spamhaus. I don’t think so. The company charging the fees is named "Spamhaus Technology Ltd", and according to Companies house (the registration authority for UK organisations), the company's director is the Spamhaus director himself. The company's address is also the same as the address for Spamhaus.

- According to a company which brought Spamhaus to a U.S. federal court in 2006, the Spamhaus DNSBL service was bringing in revenue of at least $1.8 million per year at that time.
(I was not able to verify this information)

- According to the interview done by a New York Times reporter, the Spamhaus director and owner planned
"to move his home, business and Spamhaus to a 70-foot yacht that will travel, cove to cove, across the Adriatic..."
Only 70 foot... Not bad for an organisation that is supposed to be non-profit…

5) Spamhaus is immune from prosecution...

In 2006, an American court ordered Spamhaus to pay $11.7 million to e360 Insight LLC for illegal blacklisting. This was a default judgment because Spamhaus did not even care to defend themselves in court. They blatantly said they would ignore the judgment stating that "default judgments issued by U.S. courts without a trial are not recognised by courts of other countries". The fine has been reduced since then.

Here is the statement from e360Insight, LLC after the ruling: “This ruling confirms e360Insight's position that Spamhaus.org is a fanatical, vigilante organisation that operates in the United States with blatant disregard for U.S. law. In addition, e360Insight has proven that Spamhaus routinely exposes their customers and volunteers to extreme legal risk by continuing to engage in illegal blacklisting, defamation, extortion and blackmail in the name of fighting spam. Importantly, this ruling clearly establishes the validity of e360 Insight's legitimate business practices as a responsible, opt-in marketer”.

6) The Spamhaus blacklist is not harming innocent users...

I can prove the contrary:

The problem with the “shoot first, ask later” style of justice practised by Spamhaus is that a lot of innocent e-mail customers get caught in the crossfire. Remember, most anti-spam filters are set not to deliver any mail coming from IP addresses blacklisted in Spamhaus.

According to the many reports we found, thousands of ordinary Internet users have been badly affected by their actions.

Here are a few examples:

- In 2007, Spamhaus requested nic.at, the organisation responsible for Austrian “.at” domain names, to suppress fifteen .at domains, because according to Spamhaus, those had been used for phishing.
The Austrian organisation replied they could not comply with Spamhaus’s demands, because of registry terms and conditions and Austrian law. They made it clear they are in no way supporting phishing or spamming but since they are not a court, they are not in a legal position to simply delete the fifteen domain names indicated by Spamhaus.
The organisation said they have no direct contact with the domain name owners, since they are only the registry. Only the respective hosting providers (and DNS providers) could suspend the domains. Spamhaus decided to blacklist the whole IP range of the Austrian organisation after they received their negative response.

The Austrian organisation then released a statement titled "Cat and mouse game" (translated from the original text in German) in which they explained that each time they attempted to change their IP addresses for new ones, Spamhaus would blacklist the new addresses in a matter of hours. They tried to contact Spamhaus to find a solution but as usual, Spamhaus refused to resolve the situation and continued to blacklist the organisation IPs unilaterally and without notice.

The Austrian organisation conducted its own investigation and determined that the concerned domains had in fact been hacked and the real domain owners had nothing to do with the phishing attempts. The real domain owners did not notice that criminals had taken control of their domains. The respective hosting providers then corrected the security flaws to block any further phishing attempt and the situation was finally resolved. However, had the Austrian organisation complied with the Spamhaus demands, innocent people and ordinary businesses would have simply lost their domains. The CEO of the Austrian organisation later released a statement accusing Spamhaus of harassment and advised the organisation members to refrain from using the Spamhaus blacklists.
He also said that Spamhaus's actions represent a worrying precedent for the entire Internet economy.

Here is my comment regarding this debacle:
Most of the spam criminals are using the resources from infected computers or hacked servers to send their junk. Imagine you have a domain name and some of those criminals hack it for their own illicit activities.
There is no doubt that your hosting provider needs to resolve the situation so that your domain cannot be hacked again. But would you expect your domain registrar to simply delete your domain name instead of resolving the situation? What about a thief stealing your credit card and making a purchase with it? Would you be happy to pay for the purchase?

Important note:
Our facts come from the original statements given by the Austrian organisation and the articles from one of the leading Austrian newspapers who covered the story. Be careful what you read on the Internet about this issue.
For example, when you read the Wikipedia entry for Spamhaus, the explanation given for this "nic.at" issue contains false information which in all likelihood was placed there by Spamhaus or its supporters. To ensure their online encyclopaedia is as accurate and neutral as possible, Wikipedia requires links to citations coming from reliable external sources for each statement given on an entry. However, the statements given on the Spamhaus entry, regarding the nic.at issue, are linked to citations coming from the Spamhaus website itself, an action that violates the Wikipedia regulations. 

- Last year, Spamhaus locked Amazon's entire US-based EC2 cloud computing platform over the actions of what the organisation believes to be the acts of a single spammer.
The blacklisting resulted in significant disruption to hundreds of legitimate businesses that rely on the cloud platform in order to conduct business.
This example of an overzealous organisation that has been the source of significant disruption in business is further evidence that new anti-spam technologies must be implemented universally.

- A few months ago, the official registrar for Latvia domain names branded Spamhaus "impolite, arrogant and even rude" after Spamhaus added a large chunk of Latvian IP addresses to its blacklists. The registrar said that as a result "thousands of Internet users – academic users, state and municipal institutions, non-profit organisations, companies, and individuals" were cut off.

When a representative from a large ISP protested, saying they should not be blacklisted because they are one of the biggest ISPs in Latvia and are responsible for the Internet connection of most of the users in that country, Spamhaus replied: "OK. And Latvia is one of the smallest nations in the world".

Regarding the dispute in Latvia, a bemused Spamhaus later said that it had merely followed its normal procedures and the allegations of rudeness were the result of language barriers.

The government agency in charge of top level domains for Latvia released the following statement:
"No Internet user should be punished for the actions of another Internet user. As nations around the globe recognise that access to the internet is a basic human right, it is unacceptable to block access of those who have not committed any illegal or improper acts."

Large organisations are not the only bodies affected by the actions of Spamhaus. A lot of ordinary Internet users complain they have been unable to reach their customers, prospective clients, relatives or friends because their IP has mistakenly ended up on a Spamhaus blacklist.

For example, here is the message posted by a church minister from the USA:

"Can someone help me out? For nearly two weeks now I have had a substantial proportion of my email messages bounced back to me by the good offices of some organisation that calls itself spamhaus. Who are these people? (Their website is most unhelpful and does not welcome communication/queries.) I'm a minister and am now unable to communicate with a good number of my parishioners by email. I also have been unable to send email to my daughters at college. Each time the message comes bouncing back to me with spamhaus taking credit for doing a service for duty and humanity. I have sent messages to my ISP and to my congressman and am awaiting replies. I have also tried to get a message to spamhaus."

There are countless other complaints. This is only one of them.

Guilty by association...

When an IP is blacklisted by Spamhaus, all the websites sharing this IP are affected.

It is a common practice for hosting providers to assign a single IP for many different customers – this helps to minimise costs.

If your website is hosted next to someone who, Spamhaus says is spamming, there is a big chance that your emails won’t be delivered either and all this without your knowledge. You would be guilty by association.

This is the reason why most hosting providers will immediately suspend a website if Spamhaus suspects that spam was sent from this site IP address. The hosting providers do not have the time to investigate the matter on their own; otherwise all the customers on the blacklisted IP would be affected. If a hosting provider decides not to comply with the Spamhaus demands, they take the risk of having their entire IP range blacklisted...

If you are accused of spamming, you are not allowed to contact Spamhaus or to contest. Only your ISP (Internet service provider) can contact them, once they have terminated your account in order to remove the blacklisting.

7) The Spamhaus director (and owner) is well-intentioned...

I shall not comment on this claim, except by reproducing here a few extracts from some of the messages he wrote on which he displays “his power”:

"In case you really haven't understood, one email from Spamhaus to Artelecom is all that is necessary to suspend Asco System's service."

"Your friends at ... can laugh all they like but they look very foolish each time their line goes down."

"UceProtect have only idiots as users" (UceProtect is another anti-spam organisation)

Responding to a designer who had asked if there was a bona fide way of confirming a spamming party has been terminated, the Spamhaus director replied: "Yes, a photo of the gravestone will do."

From a message to the CEO of a marketing company: "What a clueless twit you are...you have no future except whatever job openings are going for you at KFC"

Speaking about somebody else regarding a lawsuit: "...had high hopes for it but couldn't organize a piss-up in a brewery".

To underscore the power of his blackmailing company: "I'm helping out ... by ensuring these websites are terminated by -CompanyX- today or -CompanyX- are not going to get much email out from midnight tonight".
(Company X is a hosting provider)

In other words, if CompanyX does not immediately terminate the websites of the particular client, Spamhaus will blacklist the company’s IPs until the websites are shut down. Since they and all their clients would be penalised by having the company’s IPs blacklisted by Spamhaus, CompanyX will have no other choice but to immediately shut down those websites without any investigation.

If that's not blackmail, what is?

You may view these as jokes, but I find it rather scary that this person controls an organisation that is "protecting" over 1.4 billion email users around the world.

Acting as judge, jury and executioner, Spamhaus uses every tool at its disposal to force companies to adhere to their judgments. Never mind that they make the judgment of your guilt in a way that makes it impossible for you to contest their decision. You are guilty without trial. On the basis of a single unsupported claim, a webmaster can find his website shut down without prior notice and without recourse. For a small start-up business, such a situation can be the straw that breaks their back. Small-business owners are the targets. And Spamhaus has been effective at doing violence to many.

Who is watching this organisation? Nobody. They are a sort of a free-floating policy-making bureau – perhaps well-meaning but not accountable to anyone in particular.

As if going after the real spammers wasn't enough, they have now taken on the task of going after software manufacturers (such as my company) making email programs that could conceivably be used for business-to-business email marketing purposes.

I think this organisation is driven not so much by a desire to combat spam – as most reasonable people would define it – but by an insatiable desire to impose its will on the entire Internet community.

As ISPs increasingly come to play the role of Internet Big Brother, innocent Internet users are being falsely accused of spamming -- and mistakenly punished. Anyone with an email account or a website is at risk, and Internet marketers are especially vulnerable.

Spamhaus claims to be "protecting" those ISPs from spam, but this "protection" is actually blackmail.
The nature of the vicarious thrill they get from this escapes me. This is real power and it appears to be used for its own sake. I advise everybody using them to stop supporting tem immediately. They are using the power you give them to take actions which are not right (in every meaning of the word).

I have already had to hire lawyers in three different countries to defend myself and my company against the fact that some of our emails were not reaching our own customers, due to the Spamhaus blacklists.

Now that my two-year long case is resolved in the Czech Republic, I hired a team of specialised lawyers in the UK to bring Spamhaus to justice, even though it is going to cost me a small fortune and it may take a long time before we arrive at the UK High Court, but I am now more determined than ever.

A notice to “cease and desist” has already been sent to Spamhaus and since they did not comply, we intend to start proceedings in the coming months.

I will finish this page with a quote from Kaiser Wahab, Juris Doctor in Law from Columbia University:

“With only 18 volunteers, Spamhaus’ operations are, naturally, almost entirely automated, thereby depriving a blacklisted party any real recourse, notice, or review. This is a very troubling proposition, considering the degree to which e-mail is relied on by any business from sole proprietors to multinationals. Consider the frustration and loss of business that can result if a sole proprietor import exporter’s e-mail is completely blacked out. [Spamhaus does not notify the alleged spammer at all. Instead, the blacklisted e-mail user must be lucky enough to spot the error message referencing Spamhaus in its e-mail client.]

Today, e-mail is a basic utility like water, electricity, and heat. It must be treated like a basic utility to assure that it is not summarily interrupted. Verizon and ConEd would not simply be able to turn off your phone service and heat without some kind of notification with some explanation of the basis and the process to rectify the problem. The law has evolved in most developed nations to assure that process is a key element in the administration of utilities. In this early phase of the spam war, critical thought must be invested before simply allowing third party entities to take matters into their own hands. While I applaud Spamhaus’ motivation, the potential for abuse and gross miscalculation is too severe to do otherwise.”

Comment regarding the informations on that page:

We have conducted a serious investigation and have solid proof for all the claims made on that page.

Oswald Bousseau