Spamhaus Calls for Fining Operators of Insecure Servers 170
Barence writes "Anti-spam outfit Spamhaus has called on the UK government to fine those who are running Internet infrastructure that could be exploited by criminals. Those who leave open Domain Name Server resolvers vulnerable to attack should be fined, if they have previously received a warning, said chief information officer of Spamhaus, Richard Cox. When Spamhaus was hit by a massive distributed DDoS possibly the biggest ever recorded at more than 300Gbits/sec — open DNS resolvers were used to amplify the hit, which was aimed at one of the organization's upstream partners. 'Once they know it can be used for attacks and fraud, that should be an offense,' Cox said. 'You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it."
Another cure that is worse than the disease (Score:5, Interesting)
This sounds great in theory but, in practice, it's going to be almost impossible to enforce (eg whose definition of 'vulnerable'?) and it would promptly create several new Internet plagues, eg the "Your server has a vulnerability, pay us now to stop us reporting it" spam email.
Re: (Score:2)
I would have thought having an SMTP server which does unintended open relaying as everyone's definition of vulnerable..
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not if your intent is to offer access to dissidents in oppressed countries.
I can see a lot of uninrended consequences.
Re: (Score:2)
There are lots of options for that which don't leave your server free for abuse. Besides, any sane email server is set to start blocking mail from such sources after they're blacklisted anyway..
Re: (Score:2)
Re: (Score:3)
It doesn't. Not needing any credentials at all is quite different from duplicitously stealing existing user credentials or otherwise illegally gaining access to their servers.
Re: (Score:3, Interesting)
I disagree. This is a classic example of making [stupid|apathy] hurt. In this case, the hurt is financial, but the effect is there.
If a company can't be arsed to protect their systems to prevent it, they need to pay for it. If a person (or small business) can't be arsed to have an IT person, either part-time or contracted out through an agency to secure their systems, then they need to pay the price. If that same SMB relies upon their vendor/provider for security, and they fail to deliver, it's time to find
Re: (Score:3)
I disagree 100% - It's not hard at all.
Checklist of known vulnerabilities -> if your server is suspected of sending huge volumes of spam and fails -> fines after a 2nd or 3rd notice of these failures. It establishes a baseline of "don't be a fuckup with managing your servers".
Re:Another cure that is worse than the disease (Score:5, Insightful)
If your server is sending huge volumes of spam then it is actually doing something, not just sitting there being vulnerable. Fining someone for being involved in sending spam is completely different than fining someone because they could potentially be used to send spam.
Re: (Score:2)
They're also talking about DNS servers or any other sort of server. Then there's the question of what to do about zero day problems.
Re: (Score:2)
I don't think you can reasonably hold people accountable for zero days, especially when the government is encouraging them to be so plentiful. So I agree, it needs more specificity and more definitions - but that doesn't make this simply impossible if technical people are involved.
Given the government involved though, I would say it's impossible for *them* to understand, yes.
Re: (Score:3)
Re: (Score:2)
I run my own incoming E-mail server at home. However, the incoming and outgoing mechanisms are pretty separate.
Incoming port 25 goes through the usual anti-spam measures.
Outgoing port 25 goes to either my ISP's SMTP server or a dedicated third party. Either way, Bog forbid and my server starts sending UCE, -outgoing- spam is corked, and I'm far more worried about spam coming from my domain than to it.
Re: (Score:2)
I wonder... (Score:2)
I wonder if "open relays" are even that much of a problem these days when I can hire non-"p0wnd" servers in certain Eastern European countries for a pittance? Why bother with "open relays" when I can pay quite reasonable rates to have my SPAM enter the Tubes quite legitimately?
Perhaps Spamhaus is looking for relevancy.
Re:I wonder... (Score:4, Insightful)
The way I read the summary it sounded like Spamhaus was seeking revenge over being subjected to a DDoS and desiring to use government to enact it.
Re:Another cure that is worse than the disease (Score:5, Informative)
You are merely lucky. I run 3 small mail servers, all very similar in setup. 1 also receives no spam whatsoever, the other two are flooded by it. I need to use Spamhaus's XBL, SPF and graylisting to stem the tide. If I removed either of the three, SPAM volume would exceed regular mail volume about 20x. (This is not because of a lack of regular mail.)
Re: (Score:2)
20X seems to be a fairly normal rate of spam based on what I've seen at the organizations I've worked for, with spikes up to about 40X.
Re: (Score:2)
Post your email right into the text here, and see how long that lasts...
Re: (Score:2)
This isn't so much about spam anymore, but about massive DDOS attacks. I even admit I had a few systems with wrongly configured DNS servers, there were used in DNS amplification attacks, and I would have loved to know about it before they were used for that. All fixed now.
Except it's not fixed.
Of course, this makes NO sense if it gets adopted in the UK only, needs to be enabled at least for USA + Canada + European Union countries to make any sense !
It's sort of like the Kyoto protocol.
Political solutions to technical problems is exactly what the Internet needs.
very clear in context, and easy configuation fix (Score:2)
While it's certainly possible for Pelosi or her UK counterpart to pass a dumb law so that they can find out what's in it, I don't think that's what Spamhaus is suggesting. In context, they could be talking about either of two things:
First, one could get a ticket for the specific issue that caused the problem in the article. The law doesn't say "your car must be safe", it explicitly says "your turn signals must work". Same here, you could specifically say that this particular common problem could result i
Re: (Score:2)
If we let the legislature come up with the checklist, they'll tell us we must have a licensed plumber snake the tubes every 6 months.
Re: (Score:2)
I'll agree to the fine, providing there is an equally onerous one for every RBL's that wrongfully put IPs on their lists.
same for Slashdot "foes" list? (Score:2)
Should you be fined if you put someone on your Slashdot "foes"list? It's pretty much the same thing. It's a list of IPs that Spamhaus is wary of because their system detected [criteria].
As it happens, some of their lists also works pretty well as an element to feed Spamassassin to help determine the likelihood that a message is spam. How that's weighted and if it's considered at all is entirely up to the admin of the system you're sending mail to.
Re: (Score:2)
You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.
Then the fine makes for good evidence in a legal case against the company by whomever was
Re: (Score:2)
You enforce it after the breach. There was a DDOS attach, they investigate, find out you were running things years out of date or whatever, then the fines kick in. Much like how it's illegal to not use a seat-belt in the US. They can't really look in every car and be sure as it's driving down the road. But if you get pulled over for something else or you get into an accident that's when you usually get a ticket for it.
Then the fine makes for good evidence in a legal case against the company by whomever was attacked.
Think about that for a moment... It's totally unenforceable because nobody is legally obligated to keep a full version-control of every setting, piece of software, or chunk of code they're running, so unless the law requires them to continue running with "vulnerabilities" in place until an investigator can record them for fine-tallying purpose then it is extremely unlikely that any fine will ever actually be assessed because in the end the sorts of shops that run open-relays and rootable DNS servers aren't
Re: (Score:2)
Another cure that is worse than the disease
Ha! I've used that to describe spamhaus and their minions... Years ago I had a client who ended up getting blocked randomly because (drumroll please) spamhaus added an entire /22 to their IP blocklist! The client's /29 was inside that block, so naturally they got blocked by anybody honoring spamhaus' block list... (And to the legion of assholes that troll anybody criticizing spamhaus' slipshod work and labels them a "spammer," Fuck you! They didn't send any spam, EVER. And blocking an entire /22 (covering s
Re: (Score:2)
Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record. If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid. We're not talkin' about individuals here, but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email. Anybo
Re: (Score:2)
Are you serious? This is entirely enforceable without unreasonable difficulty. It's easy to find out who owns an IP address and there's always contact info attached to that record.
LOL the MPAA wishes this were true.
If the fine isn't paid or isn't paid on time, it's only a simple matter of shutting the company's site down 'til the fine is paid.
I am beginning to loose my faith in humanity and Slashdot in particular. That there really are people here begging for legal intervention makes me sick. The technical basis for arguments being spewed here are not even factually accurate.
We're not talkin' about individuals here,
Who's we? There is plenty of consumer gear with broken DNS proxies and plenty of users who run their own servers something we should be encouraging not discouraging with our dreams of offloading liability from criminals to the users.
but companies, especially hosting services, etc. Notification would come through an official gov't somebody, not something like a spamish-lookin-email.
Host
Re:Another cure that is worse than the disease (Score:5, Insightful)
How are they at all analogues? Emitted radiation can be directly measured, "vulnerability" can not.
Re: (Score:2)
Alas the story doesn't link to an actual official statement from spamhaus, so it's impossible to see exactly what he said, there isn't even anything on spamhaus' own website, so is it an official spamhaus statement at all?
Re: (Score:3)
It is a bit more dificult then that. Suppose the hacker in question is the help desk drone you gave access to in orrder to fix the system. Suppose the vulnerability is little more than me who was dating your daughter until i found her with another guy and until then, i had legitimate access. You will never know how it happened and most likely lack the ability to find out where emissions can be measured with a device you can hold in you hand.
Anyways, the fine is a bad idea because it will lead to approved s
Re: (Score:2)
If your wife of girlfriend take nude photos you are more likely to have them end up on the net, if they take no nude photos and you have no webcams you can reasonably expect pictures would never be posted.
Re: (Score:2)
"You know, it'd be a *real* shame if your wife/girlfriend got this nice camera for Christmas this year..."
Re: (Score:2)
The FCC RF laws are highly enforceable. All it takes is a licensed user complaining about interference and the FCC can send a van around to monitor it. And the fines for operating equipment like that can be pretty harsh, too. The lightest of them is basically turning off the equipment, to seizure of said equipment
Re: (Score:2)
"Of course, there are also licensed users who have "community sense" who often will fix other people's problems for free"
Funny, I was thinking the opposite due to the opposite of your example:
Try getting a cable company with leaky coax to stop interfering with ham radio! Good luck!
or yum update. unsafe car too? (Score:5, Insightful)
That sounds like an awful lot of trouble to avoid taking ten minutes to fix the configuration, or yum update for a correct default configuration. Do you also move to some third world country to avoid the law requiring working turn signals?
Re: (Score:2)
How about not "vulnerable" but having sent exactly 1 spam detected message? That DEMONSTRATES the vulnerability and is evidence.
I get plenty of 'detected' emails in my spam folder that are not spam. Who's going to decide what is and what isn't?
I used to love Spamhaus (Score:5, Insightful)
Honestly, I used to love Spamhaus, but as the years wore on, I got into the IT world, and I had to interact with them I've come to really loathe them. A decent service, I guess, but every single person that is involved with them comes across like a whining child, and I hate ever having to interact with them.
Re: (Score:2)
At least you got to talk to someone. My experience consisted of automated forms and links to other sites with absolutely no confirmation that something moved forward or not.
There is no better feeling than telling your boss that the rootkit found on his kids laptop that he uses to babysit the kid when he brings her in was behind the problem and you think maybe the problem might be getting fixed. Its kind of like poking a sleeping bear with a bee hive taped to a stick and wondering if the stick is long enough
Re:I used to love Spamhaus (Score:4, Informative)
This is exactly what I ran into. My company got a new block of IP's and several IP's within that was on their block list. I could never get through to them thus never got the IP's removed.
I stopped using their blacklist years ago because their service is unreliable. They seem to have this "We're better than you" mentality.
Re: (Score:2, Informative)
Dealing with them is like dealing with Eric Cartman when he was deputized. "Respect my authoritai!"
If they decided you weren't kissing their asses with sufficient deference they would happily violate their stated policies and expand and entrench the black listing in spite of no spam coming from any of the IPs listed.
Fine Spamhaus! (Score:2, Insightful)
Agreed. I feel exactly the same way. Once you find out how Spamhaus is operated, you realize the Internet would be better off without them. They're a disgrace.
Perhaps they should be fined for inattentive and reckless operation of an internet service, KNOWING it's being used to block mail, and KNOWING that their data is crap, full of spite listings and sources from which no abuse comes.
Re: (Score:2)
As long... (Score:5, Insightful)
...as server operators can fine Spamhaus for false positives.
Re: (Score:2)
That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.
Re:As long... (Score:4, Informative)
That depends on how much you're letting spamhaus validate actual positives. It has to go both ways.
We've been having significant problems with the CBL's ill-thought-out policies (and Spamhaus imports data from the CBL)...
http://blog.nexusuk.org/2013/09/problems-with-cbl.html [nexusuk.org]
Re: (Score:2)
I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked. The author (you?) ask for a list of honeypot addresses, but you could be a spammer, who could use that list to delay blocking of the SPAM.
Also, I have not seen a SPAM bot that uses the smarthost. This doesn't mean that they don't exist, but I think that they are rare. Hence blocking direct acces
Re: (Score:3)
I am not sure what is ill-thought-out about their policies. In both scenarios, IP address is sending SPAM. IP address gets blocked.
The ill-thought-out bit is that the CBL is an *spam email* blocklist, but their heuristics cause networks that aren't sending spam email to get listed and therefore blocked. Whilst there is no arguement that the networks were infected with malware, listing them on the CBL serves no useful purpose since they were of no threat to the systems that would be using the CBL (mail servers).
Previously, sharing an IP address between multiple services was a reasonable idea - there was never a reason not to do this an
Re: (Score:2)
It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that
Re: (Score:3)
It wasn't clear to me from the article that this was the problem. However, It's still not clear to me that this is the case. You assert that fetching some "spammy" URLs causes the listing, but the folks at CBL don't say what their listing criteria is, so I assume you have some hard evidence and not just suspicions that the fetching of honeypot URLs causes a listing?
When you get listed, you can look up the reason why and it tells you.
From my reading about Zbot, the only URLs it fetches are from C&C servers, so the CBL operators would have to have taken over a Zbot C&C server (or have access to the logs from a someone who has gained control of a C&C server).
I believe (and I'm not altogether clear whether this is accurate) that Zbot uses C&C domains that are generated programmatically based on the time of day, so CBL have managed to register some of those domains before the real bot owners and therefore set up a honeypot of C&C servers.
Re: (Score:2)
Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pa
Re: (Score:2)
Some more googling suggests that the CBL tells you the honeypot IP after listing. If this is true, could you not look in your proxy logs to see what the URLs to the C&C servers look like and block them based on a pattern that matches the part after the domain name?
There wasn't an especially obvious fingerprint I could derive from the requests when I looked (i.e. each time I've seen this, the request has been considerably different)
Re: (Score:2)
Re: (Score:2)
...as server operators can fine Spamhaus for false positives.
All these fines should go towards counselling for the servers to help resolve their insecurities
WON'T SOMEONE PLEASE THINK OF THE SERVERS?
Free Speech (Score:4, Interesting)
If things like public defecation, nudity, and pan-handling can be successfully argued as free speech (which they all have, at some point, somewhere), I think it would be a pretty simple affair to claim that running open, unsecured internet infrastructure is also a form of free expression.
"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels."
Re: (Score:3)
Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with. If free speech was easy, then everyone would have it.
Re: (Score:2)
Sadly that is a repercussion of having liberties. Free speech means the right for people to say things you don't agree with.
That's not sad, it's what makes life interesting.
I think living in an echo chamber would be unbelievably boring.
Re: (Score:2)
Re: (Score:2)
True, but free speech has always had limitations when it comes to the speech having specific impacts, esp when that speech is part of a crime.
You'll have to be more specific.
I know that speech which directly causes harm (like yelling 'fire' in a crowded, not-on-fire place) is patently illegal; I also know that knowingly providing information or services to individuals in the commission of a crime is not protected speech.
But this isn't one of those situations; nobody's handing the car keys to the bank robber, they've just left the keys in the ignition with the doors unlocked. Pretty sure that's not illegal.
Re: (Score:2)
Re: (Score:2)
This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.
Re: (Score:2)
This is just a guess, because it has never happened to me before. However, I imagine that after being on a receiving end of a massive DDOS I would no longer think of not patching your servers as a form of free speech. Instead, I would think of it as negligence.
So... if you left the keys in your car, and some sociopath took said car and ran over a few people with it, you think you should be charged with negligence?
I think if it did happen to you, you might feel differently. People are funny that way.
Re: (Score:2)
I would prefer a non-car analogy please. It's been a while since the last good one.
In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.
Re: (Score:2)
I would prefer a non-car analogy please. It's been a while since the last good one.
Ok, if you were Peter Parker then ...
Re: (Score:2)
And because you would feel bad about it, you would fix it. Fining you on top of that would just be rubbing salt in your wounds.
Re: (Score:2)
I would prefer a non-car analogy please. It's been a while since the last good one.
In any case, if the event you described did happen, I would feel VERY bad about it, and would be very careful not to leave the keys in the car again. If one of my servers was hijacked to do bad things, be it DDOS or spamming, I would feel bad about that also.
As far as car analogies go, I'd say this is one of the rare ones that actually makes sense and is in context to the general point.
Feeling bad is good - showing remorse is a sign that you're not a sociopath. But feeling guilty doesn't make a person legally culpable for another person's actions, which is my position on the matter.
Re: (Score:2)
OK, let's go with the car analogy.
You step out of your car, leaving your keys in the ignition. Someone comes up to you and tells you that the area is crawling with pychotic people, and there is a likelihood that one of them will be taking your car and hitting someone with it. You say it's not your problem and you leave the keys anyway. It is my understanding that Spamhaus is suggesting that you should be fined for that. We can argue that makes sense or not, but can we please agree that this is not about fre
A similar case (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Let's try another analogy...
Suppose you have a pool in your backyard, and some kids use it w/o your permission. When one of them drowns, who's liable?
Now, I'm not taking Spamhaus' side on this, but analogies are just that, and often apples vs. oranges.
Re: (Score:2)
If the pool is fenced in but the lock on the gate is easy to pick?
Re: (Score:2)
The fault isn't the owner's for not locking it, it's the attacker's fault.
Not from the insurance company's point of view.
There are laws (Score:2)
that say if your car is left unlocked and someone steal it/does something with it you can be charged with leaving it unlocked or get fined by the city
Re: (Score:2, Troll)
Unfortunately, it's also fairly accepted that there are such things as "attractive nuisances."
Classic example is the swimming pool on your private property, where you ruthlessly shoot and kill all trespassers whenever you see them climbing the electrified barbed wire fence around your pool. As long as you successfully kill each one of them before they get to the pool, you're saf
Re: (Score:3)
No. I am under no obligation what so ever to lock or otherwise secure my property. What will you suggest next? If I leave a lighter on my porch and you steal it and torch the house down the block that I share the blame?
Open != Open (Score:3, Informative)
Ambiguity warning! Open DNS servers are perfectly fine, they can be used against censorship or for speed. They should even be encouraged. I use the Caesidean root, for example. What they mean by "open" are drastically misconfigured DNS servers.
Anyway, Spamhaus are a bunch of whining vigilante pussies and bad losers, so fuck them.
Re: (Score:2)
to be exact
a DNS that is open to being "read" ie Who is 234.45.42.103 is fine
a DNS that is open to being WRITTEN ie 234.45.42.103 is HappyPlaytoy.uy (without somebody up the chain proving it) is BAD
a DNS that can redirect traffic going to HappyPlaytoy.uy to say IBM.com (or wespeakforthetrees.org) as part of a DDOS is EVIL BAD and WRONG
Wouldn't it make more sense? (Score:4, Insightful)
For ISPs to simply drop UDP packets that are outbound where source address is not inside their network. Is there some legit use for sending forged UDP packets?
Re: (Score:2)
Not really. But that wouldn't stop DNS amplification attacks. Just make it harder to avoid tracing - and any half-competent attacker is going to be using compromised hosts as the launching point anyway.
Punishment (Score:5, Insightful)
Funny how an organisation as Spamhouse, who is guilty of systematic depriving random and quite innocent internet users of connectivity -- and proud of it too -- , suddenly thinks that whomever interferes with their connectivity should be punished by law. Hypocrisy.
Although I think their service does have its good points, their attitude makes me want to hurl.
Re: (Score:2)
Oh my. Did I touch a nerve?
Comment removed (Score:4, Insightful)
Re: (Score:2)
The proper way to address reflection attacks is for network operators to set up rules that preclude forged packets from leaving their network. There's no reason the router solely responsible for 192.168.1.0/24 should be passing along outbound traffic with a source address of 172.25.1.15. A handful of progressive networks have made this change, but they're the exception, not the rule.
I don't forsee this working for IPv6, where one of the benefits of having so many addresses is that we can tie a load of them to individual devices and not have to suffer NAT. As a side-effect, the leaves on a network won't necessarily have correlated addresses.
Re: (Score:2)
Re: (Score:2)
Sure they will. IPv6 still has prefixes. There is no good reason to send out a UDP packet that has the wrong prefix in the source address.
Re: (Score:2)
blame the victim! (Score:2)
Yeah! (Score:2)
Tor Exit Nodes (Score:2)
This seems like a great underhanded way to make it illegal to run Tor exit nodes, free VPNs, proxies or similar services that give anonymous people ways to interact with the net.
Great idea! (Score:2)
News at 11 someone with power (Score:2)
wants more power to direct peoples lives for their own gain.
Have to agree (Score:4, Informative)
I have to agree with penalizing operators of open recursive DNS responders. DNS servers fall into roughly 4 categories:
My guess would be 99+% of all nameservers fall into the first three categories, 95+% fall into the first two, and 90+% of authoritative servers (category 2) are operated by a DNS hosting company rather than directly by the domain owner. If you're in the (relatively) small number needing to run a category 3 server you just need to take a few minutes to read the configuration docs and set it up for "don't respond to queries unless they're from a network I've listed", and if you can't or won't you deserve smacked with the newspaper. If you're in the even smaller number who want to run a category 4 server you need to know what you're doing, if you don't and go ahead anyway you deserve whatever you get (up to and including losing your Internet access).
DNS is broke not the operators (Score:2)
Each time someone makes the claim misconfiguration of DNS enables amplification they are contributing to the problem by refusing to address the root cause.
DNS is flawed by design. You can still extract perfectly useful amplification factors out of non-recursive servers or servers with DNSSEC enabled. All turning off recursion does is cut out ultra low hanging fruit while leaving the problem unaddressed.
There are several ways to actually solve this problem.
1. Use TCP for DNS
2. Implement DNS cookies
3. Globa
But who is really responsible? (Score:2)
Is it the server operator? Or is the OS provider liable for producing a defective product? And if the OS is open-source, who do you go after?
I understand where Spamhaus is coming from... I'd also love to penalize idiots who make the Internet a worse place. But I don't think it's a practical option and trying to implement it opens up a huge can of worms.
BCP38 (Score:2)
Can we change that at first to just start with the very simple:
Organisations transferring IP packets should be kicked off the Internet if they do not implement BCP38.
That would make al kind of spoofed attacks already impossible, that being the DNS, NTP, Quake-alike and many many others...
But, as there is no money to be earned with this, ISPs do not enforce it.
(and yes, it does cost some cash to implement as not all routers support it unfortunately..... )
Re: (Score:2)
At this point it's called a tax.
Re: (Score:3)
Let's assume you could somehow magically solve the enforcement problem. It's still a horrible idea because now there's the question of who issues warnings. Would Spamhaus be the one to issue warnings? Would other, similar organizations get to issue warnings? What if one organization has a draconian view of what constitutes "spamming"? Do their warnings count the same as a group with a more lenient view? Would individual users issue warnings? How do you handle false positives? (Such as: User signs up