The Spamhaus Project

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to take action against what they allege to be spammers. The correctness of this assessment by Spamhaus is regularly disputed. If the assessment is based on objective characteristics or on standards set by Spamhaus itself is disputed. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers. Spamhaus has been criticized to purposely hide all direct methods of contact from its webpages to avoid transparency, while asking transparency from others

Anti-spam lists
The Spamhaus Project is responsible for compiling several widely used anti-spam lists. Many internet service providers and email servers use the lists to reduce the amount of spam that reaches their users. In 2006, the Spamhaus services protected 650 million email users, including the European Parliament, US Army, the White House and Microsoft, from billions of spam emails a day.

Spamhaus distributes the lists in the form of DNS-based blacklists (DNSBLs) and whitelists (DNSWLs). The lists are offered as a free public service to low-volume mail server operators on the internet. Commercial spam filtering services and other sites doing large numbers of queries must instead sign up for an rsync-based feed of these DNSBLs, which is called the "Datafeed Service." Spamhaus outlines the way its DNSBL technology works in a document called "Understanding DNSBL Filtering."

The Spamhaus Block List targets "verified spam sources (including spammers, spam gangs and spam support services)." Its goal is to list IP addresses belonging to, by Spamahaus' internal standards, alleged "spammers, spam operations, and spam-support services. The SBL's listings are partially based on the ROKSO index of known spammers.

The Exploits Block List  targets "illegal 3rd party exploits, including open proxies, worms/viruses with built-in spam engines, virus-infected PCs & servers and other types of trojan-horse exploits." That is to say it is a list of known open proxies and exploited computers being used to send spam and viruses. The XBL includes information gathered by Spamhaus as well as by other contributing DNSBL operations such as the Composite Blocking List (CBL).

The Policy Block List is similar to a Dialup Users List. It lists not only dynamic IP addresses but also static addresses that should not be sending email directly to third-party servers. Examples of such are an ISP's core routers, corporate users required by policy to send their email via company servers, and unassigned IP addresses. Much of the data is provided to Spamhaus by the organizations that control the IP address space, typically ISPs.

The Domain Block List was released in March 2010 and is a list of domain names, which is both a domain URI blocklist and RHSBL. It lists spam domains including spam payload URLs, spam sources and senders ("right-hand side"), known spammers and spam gangs, and phish, virus and malware-related sites. It later added a zone of "abused URL shorteners", a common way spammers insert links into spam emails.

The Botnet Controller List was released in June 2012 and is a list of IP addresses. It lists IP addresses of which Spamhaus personnel believe to be operated by cybercriminals for the exclusive purpose of hosting botnet Command&Control infrastructure. Such infrastructure is commonly used by cybercriminals to control malware infected computers.

The Composite SnowShoe List is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. Listings can be based on HELO greetings without an A record, generic looking rDNS or use of fake domains, which could indicate spambots or server misconfiguration. CSS is part of SBL.

The Spamhaus white list was released in October 2010 and was a whitelist of IPv4 and IPv6 addresses. This list was intended to allow mail servers to separate incoming email traffic into 3 categories: good, bad, and unknown. Only verified legitimate senders with clean reputations were approved for whitelisting and there were strict terms to keeping a Spamhaus Whitelist account.

The domain white list was released in October 2010 and was a whitelist of domain names. This list enables automatic certification of domains with DKIM signatures. Only verified legitimate senders with clean reputations were approved for whitelisting and there are strict terms to keeping a whitelist account.

Spamhaus also provides two combined lists. One is the SBL+XBL and the second is called "zen" and stylized in all caps, which combines all the Spamhaus IP address-based lists.

Register of known spam operations
The Spamhaus register of known spam operations is a database of spammers and spam operations who have been terminated from three or more ISPs due to spamming. It contains publicly sourced information about these persons and their domains, addresses and aliases.

This database allows ISPs to screen new customers, ensuring that listed spammers find it difficult to get hosting.

There is a special version available to law enforcement agencies, containing data on hundreds of spam gangs, with evidence, logs and information on illegal activities of these gangs considered too sensitive to publish in the public part of ROKSO.

Don't route or peer list
The Spamhaus DROP ("Don't Route Or Peer") lists are JSON files delineating CIDR blocks and ASNs that have been stolen or are otherwise "totally controlled by spammers or 100% spam hosting operations". They are intended to be incorporated in firewalls and routing equipment to drop all network traffic to and from the listed blocks. Spamhaus claims that additions to the lists are made only after investigation has determined that the network blocks or ASNs are controlled by cybercrime groups or hosting providers which either ignore abuse reports, or assist their customers in evading them. Because of the dynamic nature of allocations, the lists can change on a daily basis. Due to the threat posed to Internet users by traffic coming from these networks, the DROP lists are free for all to download and use.

Companies
The Spamhaus Group consists of a number of independent companies which focus on different aspects of Spamhaus anti-spam technology or provide services based around it. At the core is the Spamhaus Project SLU, a not-for-profit company based in Andorra which tracks spam sources and cyber threats such as phishing, malware and botnets and publishes free DNSBLs. Commercial services are managed by a British data delivery company Spamhaus Technology Ltd., based in London UK which manages data distribution services for large scale spam filter systems.

Awards

 * National Cyber Forensics Training Alliance 2008 Cyber Crime Fighter Award
 * Internet Service Providers Association's Internet Hero of 2003 Award
 * Greatest Contribution to anti-spam in the last 10 years presented to Spamhaus by Virus Bulletin Magazine.

e360 lawsuit
In September 2006, David Linhardt, the owner-operator of American bulk-emailing company "e360 Insight LLC", filed a lawsuit in Illinois USA against Spamhaus in the UK for blacklisting his bulk mailings. Spamhaus being a British organisation with no ties to Illinois or the U.S. had the case moved from the state court to the U.S. Federal District Court for the Northern District of Illinois and asked to have the case dismissed for obvious lack of jurisdiction. The Illinois court however, presided over by Judge Charles Kocoras, ignored the request for dismissal and proceeded with the case against British-based Spamhaus without considering the jurisdiction issue, prompting British MP Derek Wyatt to call for the judge to be suspended from office. Not having had its objection to jurisdiction examined, Spamhaus refused to participate in the U.S. case any further and withdrew its counsel. Judge Kocoras however, angry at Spamhaus having ‘walked out’ of his court, deemed British-based Spamhaus to have "technically accepted jurisdiction" by having initially responded at all, and awarded e360 a Default Judgement totalling US$11,715,000 in damages. Spamhaus subsequently announced that it would ignore the judgement because default judgements issued by U.S. courts without a trial "have no validity in the U.K. and cannot be enforced under the British legal system".

Following the default ruling in its favour, e360 filed a motion to attempt to force ICANN to remove the domain records of Spamhaus until the default judgement had been satisfied. This raised international issues regarding ICANN's unusual position as an American organization with worldwide responsibility for domain names, and ICANN protested that they had neither the ability nor the authority to remove the domain records of Spamhaus, which is a UK-based company. On 20 October 2006, Judge Kocoras issued a ruling denying e360's motion against ICANN, stating in his opinion that "there has been no indication that ICANN [is] not [an] independent entit[y] [from Spamhaus], thus preventing a conclusion that [it] is acting in concert" with Spamhaus and that the court had no authority over ICANN in this matter. The court further ruled that removing Spamhaus's domain name registration was a remedy that was "too broad to be warranted in this case", because it would "cut off all lawful online activities of Spamhaus via its existing domain name, not just those that are in contravention" of the default judgment. Kocoras concluded, "[w]hile we will not condone or tolerate noncompliance with a valid order of this court [i.e., Spamhaus' refusal to satisfy the default judgement] neither will we impose a sanction that does not correspond to the gravity of the offending conduct".

In 2007, Chicago law firm Jenner & Block LLP took up Spamhaus's case pro bono publico and successfully appealed the default ruling. The U.S. federal Court of Appeals for the Seventh Circuit vacated the damages award and remanded the matter back to the district court for a more extensive inquiry to determine damages.

Following the successful Appeal by Jenner & Block LLP in 2010 Judge Kocoras reduced the $11.7 million damages award to $27,002 —$1 for tortious interference with prospective economic advantage, $1 for claims of defamation, and $27,000 for "existing contracts".

Both parties appealed, but e360's case for increasing the damages was sharply criticized by Judge Richard Posner of the Seventh Circuit: "I have never seen such an incompetent presentation of a damages case," Posner said. "It's not only incompetent, it's grotesque. You've got damages jumping around from $11 million to $130 million to $122 million to $33 million. In fact, the damages are probably zero." and for a second time the Court of Appeals vacated the damages award.

Finally, on 2 September 2011 the Illinois court reduced the damages award to just $3 (three dollars) total, and ordered the plaintiff e360 to pay to Spamhaus the costs of the appeal for the defence.

In the course of these proceedings, in January 2008 e360 Insight LLC filed for bankruptcy and closed down, citing astronomical legal bills associated with this court case as the reason for its demise.

Spamhaus versus nic.at
In June 2007, Spamhaus requested the national domain registry of Austria, nic.at, to suspend a number of domains, claiming they were registered anonymously by phishing gangs for illegal bank phishing purposes. The registry nic.at rejected the request and argued that they would break Austrian law by suspending domains, even though the domains were used for criminal purposes, and demanded proof that the domains were registered under false identities. For some time the domains continued to phish holders of accounts at European banks. Finally, Spamhaus put the mail server of nic.at on their SBL spam blacklist under the SBL's policy "Knowingly Providing a Spam Support Service for Profit" for several days which caused interference of mail traffic at nic.at. All of the phishing domains in question have been since deleted or suspended by their DNS providers.

Blocking of Google Docs IPs
In August 2010, Spamhaus added some Google-controlled IP addresses used by Google Docs to its SBL spam list, due to Google Docs being a large source of uncontrolled spam. Google quickly fixed the problem and Spamhaus removed the listing. Though initially wrongly reported by some press to be IPs used by Gmail, later it was clarified that only Google Docs was blocked.

CyberBunker dispute and DDoS attack


In March 2013, CyberBunker, an internet provider named after its former headquarters in a surplus NATO bunker in the Netherlands that "offers anonymous hosting of anything except child porn and anything related to terrorism" was added to the Spamhaus blacklist used by email providers to weed out spam. Shortly afterwards, beginning on March 18, Spamhaus was the target of a distributed denial of service (DDoS) attack exploiting a long-known vulnerability in the Domain Name System (DNS) which permits origination of massive quantities of messages at devices owned by others using IP address spoofing. Devices exploited in the attack may be as simple as a cable converter box connected to the internet. The attack was of a previously unreported scale (peaking at 300 Gbit/s; an average large-scale attack might reach 50 Gbit/s, and the largest previous publicly reported attack was 100 Gbit/s) was launched against Spamhaus's DNS servers; the effects of the attack had lasted for over a week. Steve Linford, chief executive for Spamhaus, said that they had withstood the attack, using the assistance of other internet companies such as Google to absorb the excess traffic. Linford also claimed that the attack was being investigated by five different national cyber-police-forces around the world, later confirmed in news reports as being the FBI, Europol, the British National Crime Agency (NCA), the Dutch Police National High Tech Crime Unit (NHTCU), and the Spanish National Police. Spamhaus also hired Cloudflare, a DDoS mitigation company, to assist them by distributing their internet services across Cloudflare's worldwide network, after which the focus of the attack was redirected to the companies that provide Cloudflare's network connections.

Spamhaus alleged that CyberBunker, in cooperation with "criminal gangs" from Eastern Europe and Russia, was behind the attack; CyberBunker did not respond to the BBC's request for comment on the allegation; however, Sven Olaf Kamphuis, the owner of CyberBunker, posted to his Facebook account on 23 March "Yo anons, we could use a little help in shutting down illegal slander and blackmail censorship project 'spamhaus.org,' which thinks it can dictate its views on what should and should not be on the Internet." According to The New York Times Kamphuis also claimed to be the spokesman of the attackers, and said in a message "We are aware that this is one of the largest DDoS attacks the world had publicly seen", and that CyberBunker was retaliating against Spamhaus for "abusing their influence". The NYT added that security researcher Dan Kaminsky said "You can’t stop a DNS flood ... The only way to deal with this problem is to find the people doing it and arrest them".

The attack was attributed by network engineers to an anonymous group unhappy with Spamhaus, later identified by the victims of the attack as Stophaus, a loosely organized group of "bulletproof spam and malware hosters".

On 26 April 2013, the owner of CyberBunker, Sven Olaf Kamphuis, was arrested in Spain for his part in the attack on Spamhaus. He was held in jail for 55 days pending extradition to the Netherlands, was released pending trial, and was ultimately found guilty and sentenced to 240 days in jail, with the remaining days suspended.

The arrest of ‘Narko’: The British National Cyber Crime Unit revealed that a London schoolboy had been secretly arrested as part of a suspected organised crime gang responsible for the DDoS attacks. A briefing document giving details of the schoolboy's alleged involvement states: "The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies."

Ames v. The Spamhaus Project Ltd
In 2014, Spamhaus was sued by California-based entrepreneurs Craig Ames and Rob McGee, who were involved with a bulk email marketing services business, initially through a US corporation called Blackstar Media LLC, and later as employees of Blackstar Marketing, a subsidiary of the English company Adconion Media Group Limited, which bought Blackstar Media in April 2011. Although an initial motion by Spamhaus to strike out the claims failed, they ultimately prevailed when the claimants dropped their case and paid Spamhaus' legal costs.