The Spamhaus Project – online censorship or online warriors? (opinion)
Monopole, misuse of power or helpful hand over the web? The creators of a considerably small VPN provider named nVpn criticize The Spamhaus Project heavily but also reasonably. It is said that the organization with the mission of defeating spam is wrongfully seen as a non-governmental non-profit organization. In reality it would be a single-member company, which more or less voluntarily moved their place of business to Andorra. The founder of the original Cyberbunker also has a very clear stance on the Spamhaus topic. This comment is an attempt to summarize all useful information. As an exception, we have mixed both opinions and obvious information.
Who or what is The Spamhaus Project?
Different sources on the web state that The Spamhaus Project is an internationally active but not-for-profit operative organization. Spamhaus has been founded way back in 1998. In the age of the Internet 22 years are an eternity. According to a statement made to the newspaper iX by Richard Cox, who back then was the organization’s CIO (=primary company spokesman but also superintendent of technology), Spamhaus is a British Limited Company. In the publication year of the interview (2011) the headquarter was in Geneve. Despite that, all information about the organization is as contradictory and inconsistent as enigmatical.
Sven Olaf von Kamphuis (SOvK), founder of the original Cyberbunker, is as mad as it can get in respective to the companies business practises. Mr. Cox would be out of the business for over 20 years. Eventually, the person does not even exist, as speculated by SOvK. The Spamhaus Project allegedly would be operated solely by Mr. Stephen John Linf*rd and his wife, Myra Pe-t-ers. Additionally, philanthropic organizations would also not require an establishment in the Seychelles or Mauritius, he explains in a chat. The Cyberbunker co-founder from The Netherlands further goes on: it is virtually incomprehensible, why journalists „fall“ for the project. Press inquiries according to SOvK are responded to by different persons or companies, which allegedly do not even exist. The media industry are responsible for the misery to a large part going by what he says. Everything reported by The Spamhaus Project to technology centered newspapers would be published without further verification. If one assumes that the Cyberbunker should be assessed critically, as the operators apparently did not take provider liability and the business model of their clients too serious, you should also have to take a closer look at Spamhaus, says the fleeing network expert who claims to reside in Spain.
Judge and executioner in one person without any legal mandate to do so?
What immediately stands out: as meaningful and reasonable the function of the association may be, The Spamhaus Project does not have judicial permission for their business practises. Additionally, activity of the company was never officially commissioned by a state or a governing authority. Kamphuis grumbles that Spamhaus is not even a member of RIPE (Réseaux IP Européens – translation: issuer of IP address space within Europe) validating their activities. Nevertheless, the impression is given to the outside world that Spamhaus would be a kind of „Internet police“. SOvK emphasizes that, according to him, the organization could “need some police attention” itself. He also says that the publication of a large amount of data on the Spamhaus website is illegal, violating data protection rights. The project’s publication of all information of spammers should be prohibited. „Whois data simply doesn’t belong there“. The problem lays within the publication of private data in the Register Of Known Spam Operations (ROKSO). Spamhaus has made itself a name across multiple countries in recent years. According to critic from The Netherlands, information from databases is also worth protecting. Not to mention a possible violation of the copyright or terms of service violations while retrieving data for ROKSO and the Block List etc. which SOvK speaks of.
Background: web host Cyberbunker vs. „Internet police“?
In 2013, the dispute between bulletproof web host Cyberbunker and the self-appointed overseers of the Internet escalated. The Spamhaus Project, which then was based in Switzerland, had put Cyberbunker on their blacklist due to the conspicuous activities of their customers and made this publicly known. Followed by that was one of the world’s largest DDoS attacks in the history of the web. Spamhaus.org was bombarded with 75 Gbit/s of digital garbage per second. Due to its size, the attack is said to have impaired global web traffic for a short time. In April 2013, the alleged perpetrator received a visit from the Spanish police. The computers, storage mediums and mobile phones of the man, who was referred to as Mr. K. by the public prosecutor, were confiscated. Here is a short video with Sven Olaf, which Russia Today (RT) published shortly before the authorities stormed in.
Russia Today: Conversation with Sven Olaf Von Kamphuis, the former CEO of the cyberbunker.
The Spamhaus Project – a book with seven seals
Unrelated to the Cyberbunker case, we tried to find out who or what The Spamhaus Project actually is, as this is not clear from the information on their own website. To date, there has been no response to our press inquiries from the end of January 2020. Mr. Kamphuis claims that Spamhaus allegedly had the only non-profit British Limited Company mentioned earlier being struck off the register at the beginning of 2020. All other companies would have no charitable purpose. According to our knowledge, the upstream provider and backbone operator SquareFlow has taken legal action against Spamhaus. SquareFlow offers similar services to Cogent, HE, GTT, LibertyGlobal etc., where several VPN services are hosted. Two executives of the SquareFlow Group replied to our request on March 1st, 2020 as follows:
By no means can we randomly terminate a customer, including all their services, based upon Spamhaus „believing“ them to be bad actors. In net neutrality, we are unable to distinct which traffic might be malicious or not, unless we perform deep packet analysis, which would however severely hurt the privacy of our customers and their users. We abide by the law, not some party that wants to dictate over all internet companies and decide who should be allowed to participate on the internet or not, with a history where even personal issues lead their opinions. At this point, we do not have any proof nor any court orders nor any reason to beleive that our customer is misbehaving.
As a result of not being cooperative with Spamhaus, they have made several attempts to harm the reputation of our company, as well as made several attempts to get our network impaired by suppliers and partners, by contacting various parties and claiming we are fully responsible for the actions of the users of our customers. By no means can we nor our customers be held liable for possibly having misbehaving parties further down the stream (users or customers of them). Spamhaus contacts everyone within the chain and escalates as they see fit, harming fully innocent parties.“
Intimidate, warn, force disconnection?
Their attempts to get whole networks disconnected from the internet can legally be seen as coercion, which is an act of crime in every EU country. There have been several incidents where Spamhaus has blacklisted whole provider networks for a single customer, to force them on their knees for not cooperating with their demands to terminate services to random customers of theirs. To conclude, Spamhaus tries to get total dictatorial control over the internet by trying to force unrelated parties on their knees, so all that remains is what Spamhaus wants or approves of. We do believe that privacy and anonimity are base human rights. As a result, we will never blindly follow baseless demands by Spamhaus or any other party that tries dictating over the internet. As a result of their attempts, we started taking action against their business practises.
We also have supported partners of us in legal action against Spamhaus, as Spamhaus attempted (and still attempts to) coerce us into terminating said customer’s services, but also reaches out to our partners and suppliers declaring us as criminal for not following their requests, which very clearly is not less but abuse of their power. We can merely suggest that their move to Andorra is related to their (criminal) behavior which might have collided with the legal system in their previous country and obviously other parties there that might have used said legal system against them due to their business practises. (…)
With kind regards.
SquareFlow Group – Public Relations
In the name of the board of directors: Wim B., Florian B.“
Andorra: known for good snow, inexpensive PO boxes & less legal hurdles
The Spamhaus Project is now based in the Principality of Andorra. Andorra is a small state located in the Pyrenees, which, according to Wikipedia, is primarily known for its ski resorts, duty-free shopping and status as a tax haven. Important to mention is that Andorra is not part of the EU. Relations between Andorra and the European Union were only regulated through treaties. Finding information about Spamhaus is everything but easy. After a long back and forth, we finally found what we were looking for in the trademark register of the EUIPO (Office of the EU for intellectual property). The registration with EUIPO only shows that an organization called Spamhaus IP Holdings S.L.U. currently owns the trademark number 005703401. According to EUIPO, the registration date for the design mark was February 8, 2007. The application was filed by the British law firm boyes turner LLP. Additional contact details were not disclosed there (possibly on purpose). Otherwise the operators could get for example bombarded with senseless phone calls. The website has also been fairly well protected against DDoS attacks.
ROKSO as a stumbling block
The Spamhaus Project has apparently made it their goal to determine the bad actors of mass distribution of unsolicited advertising mail. As already stated above, this is done in the ROKSO database, which is supposed to reveal the suspected miscreants of the spam bulk mailings. Spamhaus literally puts the suspects in the pillory. In addition to a lot of personal data, you get an insight into the messages of various victims, which are cited uncensored. Is there no data protection for suspected spammers? GDPR, what was that again, please? Since the organization is now outside the EU, no legal consequences have to be expected in the medium to long term.
Also the presumption of innocence, one of the basic principles of our constitutional criminal proceedings, is apparently not to be adhered to either. In other words: is there a public interest in the names, addresses, etc.? Why does Spamhaus state the data of the perpetrators in the ROKSO unabridged, while they are even more interested in protecting their very own contact details!?? It almost seems as if the operators are measuring with different dimensions.
Why? Because on their website Spamhaus.org there is no address for service (of summons / process), no e-mail address, no telephone number etc. Even the country from which they operate is not specified there. If you look more closely, you will find fragments of the information in the FAQ.
nVpn criticizes The Spamhaus Block List (SBL)
The VPN provider nVpn criticizes the project for other reasons. The Spamhaus Block List (SBL) is a constantly updated database with IP addresses. Spamhaus strongly advises against accepting electronic mail from these IP addresses. They even advertise that said database can be queried in real time. On the Spamhaus website, the SBL states that it „allows mail server administrators to identify, mark or block incoming connections from IP addresses, which Spamhaus believes are related to sending, hosting or the creation of undesirable mass e-mail messages. Mails (also called „spam“) are involved. The SBL database is maintained by a dedicated team of investigators and forensics experts in 10 countries who work around the clock to list new confirmed spam problems and, equally importantly, to resolve resolved problems.”
Certainly how exactly the determination, checking or even deletion of the entries works is however not explained there. According to their own statements, the operators of nVpn always have problems with these entries. Hosting companies go on the barricades and threaten to terminate their contracts. As early as January 2019, a spokesman informed us that their VPN servers in Albania had meanwhile been shutdown “probably because of an SBL entry“. The reason for this is quickly explained. The hosting company’s support team could not respond, whilst the users of nVpn complained to the provider that they could no longer be connected to the Albanian server.
However, this was not an exception. “Of course, something like this happens again and again, that a server is temporarily disconnected due to SBL entries or that the companies cancel the contract entirely. At the start (because we specifically ask), they claim to have no problem with SBL, but once their entire IP ranges end up on Spamhaus’s blacklist, things start looking differently. For example, we lost our server in Niš / Serbia just a few weeks ago for exactly this reason. Fortunately, the company gave us a partial refund for the server rental that had been paid months in advance. Spamhaus is really dangerous for us as a VPN service, but we just have to live with it. Simply closing all forwarded ports, as the majority of VPN providers now do, is not an option in our view.“
Everyone who does not capitulate immediately is a bulletproof hoster?
The spokesman extends his criticism.
If you run a non-logging VPN service that, like us, is one of the very few that offers its customers the option of opening up to eight ports (TCP & UDP), it is inevitable that some miscreants will try to abuse the feature for illicit purposes. Although we explicitly state in our terms of services that such use is prohibited, it does not mean that all customers adhere to it. As a result, some of our prefixes have been put on Spamhaus’s EDROP over time. Spamhaus incorrectly accuses us of „bulletproof hosting“, which is not the case as we do not host anything on our servers other than VPN software. In our view, an EDROP entry is not the end of the world, even if it blocks a few websites and one or the other streaming service.
The fact that however has proved to be really problematic: Let’s assume that we rented a server somewhere and brought our own /24 subnet to announce it either under the ASN (autonomous system number) of the hosting company or under our own ASN. Spamhaus then contacted the company in question and asks for the customer, ie us, to be disconnected. If providers did not follow their requests as they trusted us and not Spamhaus their contrary belief, that we are a VPN service provider and not a „bulletproof hoster“, Spamhaus began to put clean prefixes of the companies in question on the SBL, resulting in all other customers no longer being able to send emails. The companies then had no choice but to terminate our services so that they would not have to sustain massive financial losses. “
Example of such email:
Unfortunately we can not host you on our network as Spamhaus have blacklisted all of our IPs for hosting your IP/network.
Your server will be cancelled on it’s end date and will not be renewed.
Kindly take your backup asap and move to another provider.
Skype : v****vp*“
With cease-and-desist orders to the goal?
nVpn claims to have lost many servers due to that reason in recent years. In the end, there was hardly a company willing to host them. nVpn presented Tarnkappe.info with a cease-and-desist order dated July 11, 2019. The letter from a Swiss hosting provider in charge, claims that The Spamhaus Project would carry out “criminal coercion“. The spokesman for nVpn commented: “Sometimes Spamhaus did not shy away from contacting the higher upstreams as well and also requiring them not to route our prefixes anymore. Not everyone put up with this, however. One started against the Spamhaus Ltd in the United Kingdom, where the official headquarter was prior. (whereas they did not have to include the „Ltd.“ in their name).“
As a result, Spamhaus later moved its headquarters to Andorra.
Since then we have still receive SBL notifications, but they finally stop threating our hosting partners and upstreams. Spamhaus no longer responds to our requests to remove SBL entries, which means that numerous older entries are no longer removed and still in place, even though they are long invalid. (…)
It is certainly worth mentioning that Spamhaus has helped to reduce the global spam volume in the past, but they keep spanning the arc. This includes not only the publication of the names and addresses of some serious bad spammers, but also attempts at coercion against hosting companies that are willing to host us. In my opinion it is important that the business practises of this organization are made public. “
English language video: What happens to an e-mail after you’ve clicked „send“?
No answers to many critical questions
There are still many questions about the causa „The Spamhaus Project-“ that nobody wants to answer. Almost three weeks ago, we emailed a press inquiry to the US spam researcher and journalist Brian Krebs and received no response. Maybe our questions were too critical, we don’t know. We asked around at many other companies. Nobody knows anything about the background. A lot of things seem nebulous, the company remains silent.
For instance it would be interesting to know who commissioned them or authorized their actions? What is the motivation to free the Internet from spam? Last, but not least: Who are the sponsors of this project? Somehow you have to finance yourself. Admittedly, the activity of Spamhaus makes a lot of sense. But it is certainly also very time-consuming …
Interest aroused? Further English language articles and interviews are available here.
Feature photo: No Junk Mail – Kilkenny, Ireland 2019. Photo shot by Lars Sobiraj.