The black hole of death: beware, it could engulf you

Computer Technology Review, March, 2003 by Mark Rasch

We all hate spam. The dozens, if not hundreds, of emails you receive promising new investment opportunities in Nigeria, refinancing your house or attracting men or women. They are more than annoying--they cost time, resources and in cases when you are accessing email through wireless or other "pay per Kb" services, money. In many cases they violate state laws, such as the Washington state "do not spam" law.

To combat this problem, many companies have turned to entities that compile so-called "black hole" lists--lists of IP addresses of "known spammers." The companies then use these lists to block email to and from this range of IP addresses in the hope of temporarily blocking the mountains of spam their employees may receive. The "do not spam" list compilers also provide lists of domains--rather than simply IP addresses--from which the spam purports to have originated. These domains in turn are blocked from sending and receiving email to the enterprise that subscribes to the list. All well and good. But what if they have the wrong address?

Increasingly, spammers are infiltrating computer networks and bouncing email through unsuspecting corporate mail servers. They do this either to avoid being put on black hole lists themselves, to obtain a "friendly" email address, or to fool recipients about the source of the email. Thus, AOL/Time-Warner's Money magazine domain money.com is a fruitful email suffix for spam related to financial transactions, and Playboy Enterprise's play-boy.com is an enticing domain for sexually related email. Also, under the theory that you are more likely to open email that appears to originate from someone you know, spammers and worm writers alike are sending messages that appear to originate from inside your own company, with headers such as "important message from HR" or "About Your Job."

The spammers need not actually penetrate the corporate email system to generate these false headers. if the corporate email server is penetrated, the IP address information will falsely show that the email originated from inside the company. If the email system is not penetrated, the IP information will show the actual source (well, at least the last place the email was bounced through), but the header will falsely show that the email came from inside a particular company.

Many states have passed various types of anti-spam laws. Many of these statutes fine spammers who send email to persons who are not existing clients--usually on an "opt out" basis. Some states also have laws that prohibit false, fraudulent or misleading email messages-- messages that falsely indicate their actual source or subject. FTC and various consumer protection statutes prohibit false and deceptive trade practices, and likely could be used to cover most kinds of spam solicitations.

Companies have mainly focused on the problem of preventing inbound spam. But increasingly the problem for companies has been that of outbound spam. When spam appears to originate from an unsuspecting site, the company suffers injury to reputation and good will. Moreover, they run the risk of being placed on one of these "black hole" lists.

The black hole lists are managed by a loose confederation of anti-spam zealots, dedicated "public servants" and marketers attempting to sell a service. They are wholly unregulated, and make their own rules about who to list and de-list from their service. Essentially, their decision whether to "black hole" your company may be dictated based on whether or not you accede to their demands, and whether or not they like you or your product or service. If you appear to be "arrogant" or "uncooperative'' to them (and by them, it could simply be one person running such a list), you can be prevented from sending email to your clients or customers. The problem can be even worse if the black hole list operator perceives that you are somehow truly at fault for the spam--either because he or she feels you did not take enough steps to prevent the misuse of your email system, or because you were, in fact, the source of the spam.

Who appointed these guardians of the electronic superhighway? Who set the rules under which they may decide to tell companies to block or unblock your email? The answer is, of course, only the marketplace. Companies that buy these lists must look carefully at the standards employed by the list compilers to make sure they are not blocking legitimate email, and therefore preventing legitimate business.

But what recourse do the companies have when they find themselves in the black hole of death? They can try to placate or appease the list maker with a series of "mea culpas" and hope that the list maker removes them out of the kindness of his or her heart. Or, of course, they can sue. The law recognizes a civil action for "tortuous interference with a business relationship." In essence, this is a lawsuit saying that the list maker is wrongfully interfering with the company's relationship with its clients and customers by preventing the company from communicating with these clients.