Facing Legal Challenge, Blackhole List Closes

by Jim Wagner

How is an IT administrator rewarded for fighting spam and reporting a vulnerability in Lotus Domino servers? With an court injunction and possible jail time, for starters...ORBZ Goes The Way Of ORBS

Fearing jail time, the owner of a popular "blackhole" project pulled the plug Wednesday.

In an e-mail notice to members of his open relay blackhole zone (ORBZ) discussion list, Ian Gulliver told his flock he was shutting down immediately rather than turn over documents to the 10th Judicial District Court in Michigan.

ORBZ is one of many blacklist organizations on the Internet today: a controversial, though legal, method of blocking open relay servers that route spam and unsolicited commercial e-mails (UCE). By publishing a list of known IP addresses using open relays Internet service providers (ISPs) are able to block e-mails from that domain to its customers.

"I was happy to try to weather any civil issues that may have come up, and I was committed to seeing it through," Gulliver said in his farewell notice. "However, the threat of jail time is too much; I don't believe in this fight quite that much. I sincerely hope that someone with the goal of carrying on the mission of ORBZ pops up in another country with a less foreboding legal system."

A copy of court records was unavailable at press time to see the particulars of the injunction, which called for Gulliver to hand over all documents related to ORBZ or shut down.

On the surface, it seems a victory for bulk e-mailing companies and anti-anti-spam groups who are blocked by ISPs and other Internet providers around the world, but the issues surrounding the situation paint a different picture.

It seems one of Gulliver's tests to validate whether a server is really an open relay or not was causing Lotus Domino machines to crash. One of 10 or so e-mail tests routinely conducted, the code in one was causing Domino SMTP servers to enter an endless mail loop, consuming 100 percent of the CPU and putting it out of commission.

Laura Atkins, newly installed president of the non-profit anti-spam outfit SpamCon Foundation, said the code changes needed to correct the bug was "trivial" but one Gulliver, for one reason or another, was unwilling to correct.

"When you run a blacklist, you need to be responsible and you need to be considerate of the other servers," she said. "The overall impression I'm getting is he knew the bug was there and he just decided he wasn't going to do anything. If his test happened to crash a Lotus server, then it wasn't his fault."

But on the other side of the coin, many point the blame to Lotus developers who have been slow to correct a vulnerability Gulliver himself reported to Bugtraq back in August 2001.

Tim Jackson, a programmer posting to Slashdot.org on the ORBZ shutdown, said the whole situation was depressing and all-too-familiar in a high-tech world filled with its share of buggy equipment and products.

"Of course, if common sense prevailed, it would be the mail server vendor in court for producing insecure mail server software, not a third party for happening to send requests that unintentionally crash poorly-written servers," he posted to the site.

Regardless of who's to blame, experts concur the mess will only drive a wedge between a service seen by many as essential in slowing down the increasing flow of spam and those companies who profit from UCEs.

Walter Yurkanin, a lawyer specializing in Internet law at Mahoney, Silverman & Cross in Joliet, IL, said it's too bad both parties were not able to come to the table to work out the issues.

"Incidences such as this just create animosity that makes it harder for the process to work the way it was intended. Blacklist owners have to assess what their real motivations are, and if their motivation is not to assist they need to take a look at what makes the process work."

This article was originally published on Wednesday Mar 20th 2002