Home / Blogs

Spamhaus Appeal: They Win on Substance

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

The Seventh Circuit has issued its opinion in the continuing saga of E360 Insight vs. the Spamhaus Project. While it is not a complete victory for Spamhaus, they did about as well as anyone could have hoped for under the circumstances. E360 won on the procedural issue, while Spamhaus won on the substance.

The procedural issue was whether the default judgement against Spamhaus was properly granted last September. The court session was so odd that the appeals decision quotes several pages of the transcript. Spamhaus got some dreadful legal advice, and their lawyers simply withdrew from the case in the middle of a hearing, at which point the judge, seeing no further opposition, granted the default judgement that E360 had already asked for. Spamhaus in their appeal offered a variety of arguments that they hadn’t been properly served and other technical defects, but the judge’s position, affirmed by the appeals court, was that Spamhaus’ lawyers were in court, they knew what the judge was going to do because he told them (it’s in the quoted part of the transcript), so tough, they waived their defenses when they walked out so the default stands.

Then the appeals court considered the amount of the judgement, $11 million, based on affidavits from E360’s David Linhardt that he would have gotten that much business if not for Spamhaus’ listing. After citing some precedents, the court threw out the entire $11 million in a few sentences, noting that his affidavit says nothing

about the status of his relationship with those businesses before e360 was listed on the ROKSO. That is, the affidavit claims profit loss in absolute numbers, but provides no information whatsoever to support a finding that such future profits were certain prior to Spamhaus’ act.

They remind the trial court that an award requires a standard of “reasonable certainty”, not a mere assertion by the plaintiff.

Finally, they turn to the injunction, which they take to pieces.

On its face, the relief awarded does not bear a legitimate relationship to the facts necessary to support the entry of a default judgment.

The court was supposed to accept the claims in the complaint as true, since Spamhaus defaulted, but those only claim that the initial listing was false. Should E360 keep spamming, Spamhaus is entitled to re-list them. Similarly, the requirement that Spamhaus continuously post a notice that E360 is not a spammer is flawed. Futhermore, the injunction says that Spamhaus can only re-list E360 if E360 has violated CAN SPAM, but the appeals court correctly observed that was never Spamhaus’ criterion in the past, and the court has no business making it their criterion in the future. They conclude by noting that the injunction probably has First Amendment problems, but since there’s already more than enough grounds to vacate the injunction, they don’t need to address them. Rather than trying to fix the injunction’s problems, they sent it back to the trial court with instructions to start over.

By my reading this is as close to a complete victory as Spamhaus could have hoped for. There was no chance the appeals court would throw out the default, since that would have been an invitation to every losing defendant in the midwest to tell their lawyers to withdraw so they could start the case over again. Beyond that, E360 now has no damages and no injunction, and a steep hill to climb to get either of them back.

To get damages, E360 will have to document their lost income, which I expect would mean they’d have to get affidavits from third parties saying (under penalty of perjury) that they were about to sign a million dollar contract for E360 to do their mail blasting until those Spamhaus meanies interfered. That seems unlikely, considering how reluctant E360 has been in the past year even to disclose who their actual customers are, in complaints that Spamhaus is blocking them in violation of the now-voided injunction.

As I read the decision, the only injunction that E360 is entitled to at this point is one forbidding Spamhaus from saying that E360 was spamming in September 2006. (Well, OK.) If they have been spamming since then, which I happen to know they have since they’ve sent quite a lot of it to users on my network, Spamhaus is free to re-list them, and any plausible injunction forbidding that would fail as prior restraint.

Judge Kocoras certainly had reason to be fed up with Spamhaus last September, but the appeals court quite strongly reminded him that even so, he has to follow the law, and he did not. Now that this case is on the appeals court’s radar, we can be sure that next time, he’ll be very, very careful to craft decisions that will stand up on appeal.

It’ll be interesting to see what E360 does next. I wouldn’t be astonished if they just gave up. The facts they’d need to reinstate the damages are unlikely to be available, and even if he came up with some basis for an ongoing injunction, there’s a whole round of First Amendment challenges that hasn’t even started yet.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

John Berryhill  –  Sep 4, 2007 11:12 PM

I wouldn’t be astonished if they just gave up.

I would be surprised if they gave up.  The decision doesn’t say that E360 is not entitled to monetary damages, and a customer list is cited to have been included in the affidavit that E360 provided.  The appeal decision merely states that there was an insufficient inquiry into the statement of damages, and does not suggest that E360 is not entitled to anything. 

The decision is clear that the issue of liability is not going to be re-opened.  At this point, it’s just a question of how much.

Spamhaus’ strategy in the lower court proceeding is unfathomable, though.

John Levine  –  Sep 5, 2007 2:32 AM

As I said, the appeals court reminded the trial court that E360 has to documenthis damages, which he hasn’t. Having read the affidavit (it’s not hard to find, you know, you don’t have to speculate), the largest chunk of damages, $9.2M, was for four companies that he claimed were about to do business with him.  I happen to know the management at one of those companies, the chances they would have hired him were somewhere between zero and forget it, and there’s no reason to think the other ones were any more real.

I agree that Spamhaus’ strategy was nuts. My best guess is that a lawyer wrongly told them that if they withdrew, E360 would have to serve their default judgment on them in England and they could refuse since US defaults aren’t enforcible in English courts.

John Berryhill  –  Sep 5, 2007 4:56 PM

As I said, the appeals court reminded the trial court that E360 has to documenthis damages

Right.  But there is no drawback to trying.  Given the possibility of getting “something” with no downside, opting for “something” in those circumstances would be Mr. Spock’s choice.  The district court still has a lot of discretion.  If you were a judge, and you had an attorney withdraw from the case in your courtroom, only to later have the defendant take your judgment up on appeal, you might not be highly impressed with this thing come back to your docket.

I’m not rooting for the plaintiff here by any means, but the recent Bodog.com shenanigans suggest that ignoring a US action when you just might have US contacts is not the best approach.

My best guess is that a lawyer wrongly told them that if they withdrew,E360 would have to serve their default judgment on them in England and they could refuse since US defaults aren’t enforcible in English courts.

That would have been a better strategy from the outset - simply not to appear and challenge enforcement in the UK.  But once they made an appearance in the case to remove it to federal court, instead of simply and solely objecting to jurisdiction, or even doing nothing, they severely compromised their ability to challenge enforcement.  They must have been thinking something, but I am ignorant as to what it might have been.

John Glube  –  Sep 7, 2007 1:03 AM

After listening to the oral arguments, I thought the Court of Appeals might have been persuaded to lift the default judgment, providing Spamhaus paid all of the Plaintiffs legal fees and expenses to date.

However, counsel for Plaintiffs strenuously opposed this approach, arguing forcefully in favor of keeping the default judgment in place.

It is fortunate that counsel did not follow the Court. At the same time, he was not able to persuade the Court that the default damage award and injunction should stand.

This resulted in a ruling which was the best that Spamhaus could achieve, without having to pay any money to the Plaintiff, as each side was ordered to bear its own costs on the Appeal.

(Cough … it is interesting to note that one of the lost contracts used by e360 to support the initial damage award involved doing affiliate mailings for eMarketmakers, part of what was then called Vendaregroup, a ROKSO listed entity.)

One point of clarification. You write:

As I read the decision, the only injunction that E360 is entitled to at this point is one forbidding Spamhaus from saying that E360 was spamming in September 2006. (Well, OK.)  If they have been spamming since then, which I happen to know they have since they’ve sent quite a lot of it to users on my network, Spamhaus is free to re-list them, and any plausible injunction forbidding that would fail as prior restraint.

Ah … we need to carefully read what the Appeals Court wrote:

In this case, the facts upon which the judgment is supported demonstrate only that at the time that Spamhaus initially posted that e360 was a “spammer”—the posting upon which the cause of action was based—the posting was false. That the label was
false when originally posted does not mean that, applying Spamhaus’ generally applicable criteria for determining what a spammer is, e360 ought to be given a free pass for all time.

Rather, it simply means that, whatever the initial factual basis Spamhaus had used to list e360 on the ROKSO, Spamhaus may not rely on that basis in the future. If Spamhaus were to discover additional evidence that e360 meets the ROKSO criteria and subsequently were to place e360 on the ROKSO on the basis of that new evidence, Spamhaus would be entitled to a separate judicial determination that this new label is in fact false and that it is liable for defamation.

The key statement is that “whatever the initial factual basis Spamhaus has used to list e360 on the ROKSO, Spamhaus may not rely on that basis in the future. “

So, Spamhaus has to have new factual evidence supporting that e360 is now “under the control of, or providing service to a known professional spam operation run by Brian Haberstroh / Atriks” or some other ROKSO listed entity, to justify a listing in ROKSO and Spamhaus “labeling” e360 as a spammer.

The ruling does not deal with Spamhaus simply listing e360 on the SBL. 

Following the Court’s logic, if Spamhaus has new evidence, consistent with its criteria, that justifies a new SBL listing, without any editorial comment or reference to the earlier ROKSO listings, “Spamhaus would be entitled to a separate judicial determination that this new listing is in fact false and that it is liable for defamation.”

That being said, the whole thing may be “moot.” The website for e360 has been off the air ever since the Court of Appeal came down with its judgment.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix