Not being a lawyer, maybe I’m wrong, but I don’t think at least according the
Spanish law, that if I anyone, a natural person, or an organization, provides a
service to inform “who seems to be a spammer” or “what IP addresses or blocks”
are frequently sending spam, if the natural person or the organization just
keeps something to probe that there was spam or any other kind of abuse, is
fine.
Otherwise, all those web pages that have public information about BGP hijacking
incidents, will be acting against the law as well.
*how* you use that information to create filters for your servers, is *your*
decision, not the organization providing that information source.
Note that I fully understand your point, I can think on it as “they have a
dominant position”. However, this is because they are trusted, not because they
have got a government contract or anything like that to have it.
If I start building a web page with all the spam, intrusion attempts, and other
abuse cases that I receive in any of the networks that I care of, and cite in
the web page all those companies that don’t care about those abuse cases, and
across the years the community think “this is a valuable” service, let’s use
it. AND I can keep the records of why I listed them. Do you think I’m doing
anything illegal or wrong?
Of course I will be doing something wrong if I list organizations with fake
abuse reports, but not otherwise.
Regards,
Jordi
@jordipalet
El 8/7/20 16:47, "anti-abuse-wg en nombre de Alex de Joode"
escribió:
Jordi,
Transparency and accountability are key for services that act like a combined
privatised police, court and penal force.
Unfortunately Spamhaus does not deliver in that department. While the service
certainly has merit, they sometimes feels warranted to enforce policies that
hurt legal and valid business models like unmanaged hosting and cloud services,
vpn's or tor-exits just to name a few.
Judge, Jury and Executioner are 3 distinct roles in western democraties, this
is for a reason. As a lot of organisations use Spamhaus, this means they have a
fudiciary obligation to have clearand targetted policies, a speedy and
transparant complaints procedure and they need to provide some form of
arbitrage, just to ensure personal issues and preferences are not a factor.
To describe Spamhaus usage as "It is up to each individual or organization to
use them or not." fundamentally mislabels their position in the abuse handling
ecosystem. (it is a bit like arguing we have a working abuse@ mail address, but
do not handle abuse at all)
--
IDGARA | Alex de Joode | a...@idgara.nl | +31651108221 | Skype:adejoode
On Wed, 08-07-2020 15h 08min, JORDI PALET MARTINEZ via anti-abuse-wg
wrote:
In a couple of occasions (many years ago), some of the IPs under my
responsibility, were listed at spamhaus. I contacted them and got delisted, no
problem. Of course, after that I took measures so my IP addresses are never
involved even by accident, in any "bad" activity: it is my duty.
My conclusion is that it offers a good service, which I can use or not, it is
my decision.
I think services such as spamhaus are good, and I don't know if legally they
need to be "registered". I could, as a natural person, so no need for
registration if is not a business (no incomes), make this kind of service, for
free, and for privacy reasons, and understanding that I may be damaging
high-level criminal activities, seek my personal and family protection by not
disclosing my real data.
I don't think there is nothing wrong about that, because I'm not "forcing"
anyone to trust my service or use it, or anything similar. It is up to each
individual or organization to use them or not.
If ISP a, b, and c, are abusing my network in any way, and I decide to create a
public web page to list them, if I can keep the demonstration of that, there is
no court that can tell me "you're doing something illegal". I'm just telling
the world "those guys have abused my network, you can use it to filter them to
avoid having the same trouble", and I can do that I an anonymous way.
That said, I think it is a bad excuse to say that there is no login to protect
freedom of speech. You can do login but not provide that data to "bad"
governments. Only if your own country LEA ask for it, because there was a
criminal activity on that connection you will need to provide the data. This is
the same for *any* other service. I can't agree that VPN's are a different
thing.
Note that I'm not trying to say if this or that service is good or bad, but to
say that rules are made for all.
Regards,
Jordi
@jordipalet
**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for