Home / Blogs

Spam Fighting: Lessons from Jack Bauer?

Terry Zink

As I blogged about several months ago, as did numerous other anti-spam bloggers, David Ritz was sued by Jeffrey Reynolds and a judge in North Dakota agreed with Reynolds. At the heart of the case was that Ritz engaged in anti-spam activities using techniques known only to a small subset of advanced computer users, and used these techniques maliciously against Reynolds.

A couple of years ago, I reviewed the book Spam Kings. Back in the olden days of spam fighting, some anti-spammers used to use malicious techniques against spammers in order to shut them down. Maybe they'd break into their web servers and disable them, maybe they'd flood the spammers' email addresses with unsolicited mail or cripple their operations with DOS attacks. Regardless, the point is that they would use illegal techniques to shut down spammers. The idea was to fight fire with fire. Spammers are annoying? Then you have to get your hands dirty to shut them down. Some people on anti-spam discussion forums cheered the moves; others said that spam fighters could not resort to the level of the spammers themselves.

Last night (Jan 11, 2009), I was watching the premiere of 24, Season 7. In the opening scenes, Jack Bauer is brought to Washington and is being interrogated by a Senate subcommittee on charges that he tortured various terror suspects and therefore broke United States law banning torture. Bauer even admits that he broke the Geneva Conventions. To escalate the tension, the Senator asks Bauer if he thinks he is above the law.

24 is all about drama. Bauer looks at the Senator, and says (and I paraphrase) "Don't give me that smug look. These people who try to attack us don't play by your rules. I did what I had to do in order to protect the people of this nation and I will answer to them." Bauer is quite unrepentant in his beliefs that while he did break the law, he did it to protect the citizens of the country and he does not apologize for it. Bauer gets results (the Senator did not watch the previous six seasons of the show).

Spam fighting would never be the focus of an episode of 24. It's not quite that glamorous. But the philosophical issues Bauer brings up are valid — if anti-spam fighters start engaging in dubious tactics to shut down nefarious spam operations, how apologetic should they be? Should they (we) even sink to a level of questionable ethics?

Let's say that a web site is discovered that is selling counterfeit pharmaceutical products, an activity that is quite illegal. Some hackers can take down the site in a matter of minutes using a DOS attack. Should we do it?

A spam operation is sending out stock spam, illegally pumping and dumping a penny stock traded on the pink sheets. An anti-spam operation can break into their servers used to send email and shut it down. Should we do it?

There are plenty of examples of spam, botnets and viruses used for illegal activity, from fake university degrees (fraud) to porn operations (exploiting underage children). In some of these cases, these types of activities can be reverse engineered and shut down. Obviously, by approaching the proper authorities, many of them can be deactivated. However, sometimes the proper authorities lack the knowledge or the willpower to stop supporting all of this stuff. The McColo incident is a prime example; if we knew for so long that McColo could have taken have the spam world off-line, why did it take so long? Could somebody just have gone and cut off the power to the building? Would that have been right or wrong?

It's a philosophical problem — how much are we willing to put up with when it comes to spam, and what levels should we sink to? And who should we answer to? The security industry? Or the end users we are acting in the name of to protect?

By Terry Zink, Program Manager. More blog posts from Terry Zink can also be read here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Email, Law, Policy & Regulation, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


As an example, how would know what Joe xx  –  Jan 12, 2009 6:21 PM PDT

As an example, how would know what pharms are counterfiet?  Were tests run, do you have evidence, sworn statements?  Can you even specify the exact law that was broken?  But I am sure you "know" the answers to all these questions.  I am also sure Mr. Baeur "knows" every one of those people he discussed were "terrorists" ... I mean terrorist "suspects."

What it basically boils down to is that these people are above the law because they "know" what is right.

Please! Take it easy on shutting power Michael Roberts  –  Jan 12, 2009 9:11 PM PDT

Please! Take it easy on shutting power to that data center, my server is in the building.

Please leave Ritz out of this John Levine  –  Jan 13, 2009 1:22 PM PDT

Regardless of what you might think about vigilante anti-spam techniques, the Ritz case was a travesty of justice.  The "advanced" technique that the judge was bamboozled into interpreting as a malicious attack was an ordinary DNS zone transfer request, something that sys admins have routinely done for decades.

So what happened after he a zone Joe xx  –  Jan 13, 2009 4:10 PM PDT

So what happened after he a zone transfer?  I am sure that was not the end of it or it would not be in court.

More on Ritz John Levine  –  Jan 13, 2009 4:15 PM PDT

See this CircleID post from a year ago:


If you follow the link in the Joe xx  –  Jan 14, 2009 7:33 AM PDT

If you follow the link in the post to the actual decision you can read the truth:


The truth is the court did not determine zone transfers to be illegal, it said using zone transfers and other methods to break into a private network is illegal.  A quote:

" The Court need not determine whether a normal, single DNS query is authorized within the meaning of the statute. Even if there had been any authorization for a such a DNS query or lookup, Ritz exceeded that authorization in violation of the statute by conducting a zone transfer and attempting further access."

This is similar to using burglary tools.  Courts don't say use of the tools themselves is a crime but using them to break into private property is.  The guy also violated a court order not to this.

This is not "anti-spam activities," this is hacking into a private network and committing computer crimes.

Really, leave Ritz out of it John Levine  –  Jan 14, 2009 8:04 AM PDT

This is not "anti-spam activities," this is hacking into a private network and committing computer crimes.

Yes, that's the ridiculous misinterpretation of Ritz' perfectly normal actions that the court was bamboozled into accepting. The parties in this case both have long histories online, and if you look at the background of the case, it's crystal clear who is the good guy and who is the bad guy.  It is rare for a state court to get a case as wrong as this one did, but the actual facts speak for themselves.

To me anti-spam activities means complaining to Joe xx  –  Jan 14, 2009 10:24 AM PDT

To me anti-spam activities means complaining to the provider, complaining to the business being advertised, complaining to law enforcement, or suing in court.

This guy made zone transfers in order to map the internal network and then he went and attacked the network using this information.  He used proxies to try to hide his identity and defied a court order.  If he had used the zone transfers and traceroutes merely to complain to the provider or collect evidence for court what he did seems perfectly fine.  However, the info was used to break into the network and that is what was deemed to be illegal.  This seems like the proper decision to me.

As for the spammer, this situation does not say one way or the other whether he is "good" or "bad."

What the antispammer should have done was collect the evidence and seek an injunction to shut the network down.  Instead, he took matters into his own hands.  Who knows what kind of trouble can be caused if people started running around doing this stuff on their own based on their own belief of who is "bad."

More lies about the Ritz case John Levine  –  Jan 14, 2009 10:43 AM PDT

This guy made zone transfers in order to map the internal network and then he went and attacked the network using this information.  He used proxies to try to hide his identity and defied a court order.

David did do a routine zone transfer to try and identify the hosts that Reynolds was using to spew usenet spam, but he did none of the other things you accuse him of.  If he had not been near death in a coma in the hospital when Reynolds sued him, he'd have been able to respond more successfully.  Incidentally, Reynolds was the provider; his goal in his SLAPP suits has been to hide that fact.

I really wish you would inform yourself better rather than just parrot the false accusations in this case.  Also see

Not like you to reply to random anonymous trolls, John .. Suresh Ramasubramanian  –  Jan 17, 2009 8:24 AM PDT

Wish circleid had a killfile.

finding of fact Joe xx  –  Jan 18, 2009 12:04 AM PDT

I read from the finding of fact issued by the court but i am sure I can more information from a bunch of hysterical posts.  And I see everybody is a "troll" who points out facts.

Some notes Terry Zink  –  Jan 18, 2009 1:23 AM PDT

When I alluded to the Ritz case, I was not implying I agreed with the ruling against him.  Rather, I was framing my post by loosely painting it against a backdrop of a real life situation.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

Discover ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals