Are we really going to repeat the blatant stupidity of spammers 15-20 years ago who tried to file SLAPP ( https://en.wikipedia.org/wiki/Strategic_lawsuit_against_public_participation) suits against DNSBL ( https://en.wikipedia.org/wiki/Domain_Name_System_blocklist) operators? Did we learn nothing from history? Please have your lawyers review the Spamhaus lawsuit, and other state and federal lawsuits filed by spammers against DNSBL operators (like me!) before you file a SLAPP suit. We always win. We win so much it's getting boring. Our state and federal courts have ruled in every case I am aware of that publishing lists of hosts who violate or have violated the behavioral norms of the Internet and society at large is protected under 47 USC 230’s good samaritan clause (c)(2)(A) and (B). In fact my right to publish a list that says your IPs, IP blocks, DNS, or any other technical means of identifying your content or traffic as not reputable EXCEEDS your constitutional rights to protected speech. During the 2004 and 2008 US presidential elections we reputation listed both major parties' presidential campaigns for sending unsolicited bulk email. Their legal recourse was to go away and deal with it. When a major email provider was in a very long beta, and it was exploited to send CSAM randomly around the internet, we reputation listed it. Reputation lists are protected speech. Anyone who wishes to use these lists may do so for any reason they wish, or none at all. Legal threats with no merit in law are "otherwise objectionable" https://en.wiktionary.org/wiki/cartooney. You are actually quite lucky that my list isn't still operating. We routinely reputation listed sources of idiotic legal threats (cartooneys https://en.wiktionary.org/wiki/cartooney). Getting out of that reputation list required a public apology made in the same forum where the original cartooney was published. It baffles my mind that anyone would stand up and publicly announce that they wish to be counted with spammers. Obviously none of this is legal advice, but since this is going to be archived in Google in a day or so, it should save the attorneys who are going to respond to your cartooney time in composing their reply. In summation don't threaten reputation list providers. You will lose every time. Andrew Kirch Former owner of the Abusive Hosts Blocking List On Wed, May 28, 2025 at 9:25 PM Eric C. Miller via NANOG < nanog@lists.nanog.org> wrote:

We're still playing whack a mole with our IP space. I've asked our corporate counsel about sending demand letters with an accusation of tortious interference.

IP Quality Score seems to be a big nuisance. Check a few of your IPs on their website.

No silver bullets though.

Eric

________________________________ From: paul--- via NANOG <nanog@lists.nanog.org> Sent: Wednesday, May 28, 2025 10:18:55 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: paul@vanilla.capetown <paul@vanilla.capetown> Subject: Amazon AWS cloudfront WAF block

Hi all

Most if not all of our prefixes are on some sort of AWS WAF deny list, that or our ASN is listed.

We are an eyeball network, geo-location websites e.g maxmind are correctly displaying the correct location and services for our prefixes.

We do not have a support contract with amazon aws to create a support ticket. Various websites are now blocked, e.g Reddit and many more. It is not feasible for us to reach out to each one to adjust their aws waf filters.

Upon emailing AWS this is their reply:

"The best course of action would be to contact Neustar and or MaxMind who are 3rd party WAF aggregators on this to address any issues with WAF blocking."

This is also not fair and frankly a rabbit hole we do not want to go down. These are also paid for services. AWS is almost holding our ASN/Prefixes as hostage to these paid for services with no easy way to check why we are being blocked, and getting off "some" list.

Anyone have an idea / contact or what to do? _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/NC6Q4WG7... _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/K7TEXONR...

It baffles my mind that anyone would stand up and publicly announce that they wish to be counted with spammers.

It's been fairly well established for many years that IP ranges and ASNs end up on WAF lists for a variety of non-abuse / bad actor related reasons. Seems like an unnecessary escalation to just assume someone is because of a question like this. On Wed, May 28, 2025 at 10:09 PM Andrew Kirch via NANOG < nanog@lists.nanog.org> wrote:

Are we really going to repeat the blatant stupidity of spammers 15-20 years ago who tried to file SLAPP (

https://en.wikipedia.org/wiki/Strategic_lawsuit_against_public_participation ) suits against DNSBL ( https://en.wikipedia.org/wiki/Domain_Name_System_blocklist) operators? Did we learn nothing from history?

Please have your lawyers review the Spamhaus lawsuit, and other state and federal lawsuits filed by spammers against DNSBL operators (like me!) before you file a SLAPP suit. We always win. We win so much it's getting boring.

Our state and federal courts have ruled in every case I am aware of that publishing lists of hosts who violate or have violated the behavioral norms of the Internet and society at large is protected under 47 USC 230’s good samaritan clause (c)(2)(A) and (B). In fact my right to publish a list that says your IPs, IP blocks, DNS, or any other technical means of identifying your content or traffic as not reputable EXCEEDS your constitutional rights to protected speech. During the 2004 and 2008 US presidential elections we reputation listed both major parties' presidential campaigns for sending unsolicited bulk email. Their legal recourse was to go away and deal with it. When a major email provider was in a very long beta, and it was exploited to send CSAM randomly around the internet, we reputation listed it.

Reputation lists are protected speech. Anyone who wishes to use these lists may do so for any reason they wish, or none at all. Legal threats with no merit in law are "otherwise objectionable" https://en.wiktionary.org/wiki/cartooney. You are actually quite lucky that my list isn't still operating. We routinely reputation listed sources of idiotic legal threats (cartooneys https://en.wiktionary.org/wiki/cartooney). Getting out of that reputation list required a public apology made in the same forum where the original cartooney was published.

It baffles my mind that anyone would stand up and publicly announce that they wish to be counted with spammers. Obviously none of this is legal advice, but since this is going to be archived in Google in a day or so, it should save the attorneys who are going to respond to your cartooney time in composing their reply.

In summation don't threaten reputation list providers. You will lose every time.

Andrew Kirch Former owner of the Abusive Hosts Blocking List

On Wed, May 28, 2025 at 9:25 PM Eric C. Miller via NANOG < nanog@lists.nanog.org> wrote:

...

We're still playing whack a mole with our IP space. I've asked our corporate counsel about sending demand letters with an accusation of tortious interference.

IP Quality Score seems to be a big nuisance. Check a few of your IPs on their website.

No silver bullets though.

Eric

________________________________ From: paul--- via NANOG <nanog@lists.nanog.org> Sent: Wednesday, May 28, 2025 10:18:55 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: paul@vanilla.capetown <paul@vanilla.capetown> Subject: Amazon AWS cloudfront WAF block

Hi all

Most if not all of our prefixes are on some sort of AWS WAF deny list, that or our ASN is listed.

We are an eyeball network, geo-location websites e.g maxmind are correctly displaying the correct location and services for our prefixes.

We do not have a support contract with amazon aws to create a support ticket. Various websites are now blocked, e.g Reddit and many more. It is not feasible for us to reach out to each one to adjust their aws waf filters.

Upon emailing AWS this is their reply:

"The best course of action would be to contact Neustar and or MaxMind who are 3rd party WAF aggregators on this to address any issues with WAF blocking."

This is also not fair and frankly a rabbit hole we do not want to go down. These are also paid for services. AWS is almost holding our ASN/Prefixes as hostage to these paid for services with no easy way to check why we are being blocked, and getting off "some" list.

Anyone have an idea / contact or what to do? _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/NC6Q4WG7...

...

_______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/K7TEXONR...

...

_______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TVB6GRMP...

You do realize that some organizations have such a broken support and contact system that often a legal threat or a formal complaint with a regulator is necessary to get said organizations to even discuss an issue? I read the original message as "I'm frustrated that we're trying to do the correct things here but I can't get anyone to tell us what we're doing wrong so we can either stop the behavior or get a record corrected". This is a lot different than "we're a spammer and we're going to sue a dnsbl for interfering with our business". If amazon had a well defined process for legitimate ISPs to be able to open a ticket to resolve issues with their netblocks, I doubt anyone in this thread would be discussing having lawyers write letters. And if I'm mistaken and there is a well defined way for a non-AWS-customer ISP to address these types of issues with Amazon, I'd love to hear what it is. On Wed, May 28, 2025, 8:08 PM Andrew Kirch via NANOG <nanog@lists.nanog.org> wrote:

Are we really going to repeat the blatant stupidity of spammers 15-20 years ago who tried to file SLAPP (

https://en.wikipedia.org/wiki/Strategic_lawsuit_against_public_participation ) suits against DNSBL ( https://en.wikipedia.org/wiki/Domain_Name_System_blocklist) operators? Did we learn nothing from history?

Please have your lawyers review the Spamhaus lawsuit, and other state and federal lawsuits filed by spammers against DNSBL operators (like me!) before you file a SLAPP suit. We always win. We win so much it's getting boring.

Our state and federal courts have ruled in every case I am aware of that publishing lists of hosts who violate or have violated the behavioral norms of the Internet and society at large is protected under 47 USC 230’s good samaritan clause (c)(2)(A) and (B). In fact my right to publish a list that says your IPs, IP blocks, DNS, or any other technical means of identifying your content or traffic as not reputable EXCEEDS your constitutional rights to protected speech. During the 2004 and 2008 US presidential elections we reputation listed both major parties' presidential campaigns for sending unsolicited bulk email. Their legal recourse was to go away and deal with it. When a major email provider was in a very long beta, and it was exploited to send CSAM randomly around the internet, we reputation listed it.

Reputation lists are protected speech. Anyone who wishes to use these lists may do so for any reason they wish, or none at all. Legal threats with no merit in law are "otherwise objectionable" https://en.wiktionary.org/wiki/cartooney. You are actually quite lucky that my list isn't still operating. We routinely reputation listed sources of idiotic legal threats (cartooneys https://en.wiktionary.org/wiki/cartooney). Getting out of that reputation list required a public apology made in the same forum where the original cartooney was published.

It baffles my mind that anyone would stand up and publicly announce that they wish to be counted with spammers. Obviously none of this is legal advice, but since this is going to be archived in Google in a day or so, it should save the attorneys who are going to respond to your cartooney time in composing their reply.

In summation don't threaten reputation list providers. You will lose every time.

Andrew Kirch Former owner of the Abusive Hosts Blocking List

On Wed, May 28, 2025 at 9:25 PM Eric C. Miller via NANOG < nanog@lists.nanog.org> wrote:

...

We're still playing whack a mole with our IP space. I've asked our corporate counsel about sending demand letters with an accusation of tortious interference.

IP Quality Score seems to be a big nuisance. Check a few of your IPs on their website.

No silver bullets though.

Eric

________________________________ From: paul--- via NANOG <nanog@lists.nanog.org> Sent: Wednesday, May 28, 2025 10:18:55 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: paul@vanilla.capetown <paul@vanilla.capetown> Subject: Amazon AWS cloudfront WAF block

Hi all

Most if not all of our prefixes are on some sort of AWS WAF deny list, that or our ASN is listed.

We are an eyeball network, geo-location websites e.g maxmind are correctly displaying the correct location and services for our prefixes.

We do not have a support contract with amazon aws to create a support ticket. Various websites are now blocked, e.g Reddit and many more. It is not feasible for us to reach out to each one to adjust their aws waf filters.

Upon emailing AWS this is their reply:

"The best course of action would be to contact Neustar and or MaxMind who are 3rd party WAF aggregators on this to address any issues with WAF blocking."

This is also not fair and frankly a rabbit hole we do not want to go down. These are also paid for services. AWS is almost holding our ASN/Prefixes as hostage to these paid for services with no easy way to check why we are being blocked, and getting off "some" list.

Anyone have an idea / contact or what to do? _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/NC6Q4WG7...

...

_______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/K7TEXONR...

...

_______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TVB6GRMP...

- Forrest

On May 29, 2025 at 07:38 nanog@lists.nanog.org (Mike Hammett via NANOG) wrote:

*nods* So many of those organizations are broken.

What's broken is the ad hoc way all of this is handled. It's all so amateurish it's embarrassing. And in 30 years it's pretty clear it's never worked much beyond how a bad case of office politics or high school social snubbing "works". -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On 5/29/25 08:57, Endre Szabo via NANOG wrote:

Fun fact: there are AWS network engineers subscribed to this list.

This does not imply that they are empowered (or even interested) to act on information they may receive via this list in these matters. They may do so from time to time, and they may even have good intentions, but without a clear process for engaging an entity, there's no reliable way to get things like this taken care of. Back-channels are useful for escalation and unusual happenings. This is not an unusual happening, and at least initial action on things that are not unusual should not require escalation. -- Brandon Martin

On Wed, May 28, 2025 at 7:07 PM Andrew Kirch via NANOG <nanog@lists.nanog.org> wrote:

Please have your lawyers review the Spamhaus lawsuit, and other state and federal lawsuits filed by spammers against DNSBL operators (like me!) before you file a SLAPP suit. We always win. We win so much it's getting boring.

Hi Andrew, Maybe I misunderstood Eric, but I thought his "threat," if you want to call it that, was to sue WAF implementers like AWS for tortious interference rather than list publishers like IP Quality Score. The legal proposition is that an AWS customer has little or no control over what AWS does with the IP blocking information. If they want to do business with me and I want to do business with them but AWS steps in the middle, that's potentially tortious interference. And let's face it: AWS is a large enough organization you're not just playing whack-a-mole. Worth noting that Spamhaus et. al. escaped their lawsuits because they publish information. They don't block anybody. The consumers of their information (like AWS) do the blocking. Also worth noting that Eric's plan wasn't to sue pers se, it was to send demand letters. There's an implicit assumption that if he could just talk to a responsible person, they'd agree with him and fix the problem. Demand letters to the attorney of record are kind of a last ditch mechanism to cut through an organization's hierarchy and talk to the engineer who can actually solve your problem. Because whoever you are and however well insulated you are from the tech support front door, the company lawyers have access to you. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch <trelane@trelane.net> wrote:

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

Hi Andrew, The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith. You've either investigated my complaint and determined your action is reasonable and correct, investigated my complaint and fixed your error, or failed to investigate my complaint. Whichever way you go, it's no longer a "good faith" matter and this section of the statute no longer applies. Your following action has to stand the test of reasonability without it. In the Spamhaus case, their defense was: "We merely published a summary of our observations about the plaintiff's behavior." That's an objectively reasonable thing to do.

I don't have to accept your traffic. Amazon doesn't have to accept your traffic. No one has to accept your traffic. I can deny your traffic for any lawful reason even if that traffic might be otherwise constitutionally protected.

"We reserve the right to refuse service," is a very common sign but it has no force of law. If you refuse service without a reasoned and articulable cause, you run afoul of a thousand statutes and precedents which bound the lawful causes for doing so. Tortious interference is one of those precedents. It says that if you knowingly prevent third parties from completing a reasonable and lawful contract with each other, you're liable for the damage that interference causes. There are, of course, many more lawful reasons for refusing service than unlawful ones. But you can't be arbitrary or capricious about it; you have to be able to articulate a cause for that specific refusal that a reasonable person would find sensible. Section 230 doesn't undo the tortious interference precedents. It just reminds the judge that _knowingly_ is a part of the claim the plaintiff must prove with specificity. That your interference was unintentional is a winning affirmative defense. tl;dr: you claim that section 230 means ISPs can legally do whatever they want blocking network traffic no matter how reckless. That's simply not the case. It protects ISPs behaving _reasonably_. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/

On Thursday, May 29th, 2025 at 3:35 PM, John Levine via NANOG <nanog@lists.nanog.org> wrote:

It appears that William Herrin via NANOG nanog@lists.nanog.org said:

...

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch trelane@trelane.net wrote:

...

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

Hi Andrew,

The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith.

Uh, no. I have no duty to believe what you claim.

Having looked at a lot of case law I can tell you that the only case where a court did not find good faith was a strange one where one anti-malware service listed another (for what looked like good reasons) and a court assumed that since they were direct competitors it wasn't good faith. Other than that, if I think your traffic is objectionable, I can reject it.

See https://blog.ericgoldman.org/archives/2024/06/this-case-keeps-wrecking-inter...

In practice, threatening to sue Amazon is a dumb thing to do because they have far more lawyers and experience and money than you do. This is obviously a screwup and figuring out who to ask nicely is far more likely to work than sending threats you can't actually carry out.

R's, John

PS: Wasn't the original question from someone in South Africa? I have no idea what their law is like, or if Amazon even has enough presence there to sue. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/QGOVMLWJ...

Respectfully, is anyone here an actual lawyer giving legal advice? If not, can we maybe just suggest that everyone consults with their own lawyers about what actions they do or do not want to take? Obviously the original comment about sending a legal letter was made out of frustration because reaching an actual human at some of these megacorps is often like pulling teeth. I don't blame them for being frustrated. With that said, I cannot fathom how citing some cases and section 230 will help the original poster get a hold of someone at Amazon and/or resolve their issue. -mu

I cannot fathom how citing some cases and section 230 will help the original poster get a hold of someone at Amazon and/or resolve their issue.

It won't, no. But not much else will either. AWS default WAF lists are notoriously bad. They often include things they shouldn't. If you are an AWS customer they'll tell you to make your own edits to fix these problems. If you aren't (as in the OP's case ), they won't even really talk to you, as the OP experienced. It's of course exceptionally frustrating when you're in the OP's shoes with this stuff, but this is the unfortunate reality when people chose to use ass products like this. On Thu, May 29, 2025 at 3:52 PM Mu via NANOG <nanog@lists.nanog.org> wrote:

On Thursday, May 29th, 2025 at 3:35 PM, John Levine via NANOG < nanog@lists.nanog.org> wrote:

...

It appears that William Herrin via NANOG nanog@lists.nanog.org said:

...

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch trelane@trelane.net wrote:

...

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

Hi Andrew,

The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith.

Uh, no. I have no duty to believe what you claim.

Having looked at a lot of case law I can tell you that the only case where a court did not find good faith was a strange one where one anti-malware service listed another (for what looked like good reasons) and a court assumed that since they were direct competitors it wasn't good faith. Other than that, if I think your traffic is objectionable, I can reject it.

See https://blog.ericgoldman.org/archives/2024/06/this-case-keeps-wrecking-inter...

In practice, threatening to sue Amazon is a dumb thing to do because they have far more lawyers and experience and money than you do. This is obviously a screwup and figuring out who to ask nicely is far more likely to work than sending threats you can't actually carry out.

R's, John

PS: Wasn't the original question from someone in South Africa? I have no idea what their law is like, or if Amazon even has enough presence there to sue. _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/QGOVMLWJ...

Respectfully, is anyone here an actual lawyer giving legal advice?

If not, can we maybe just suggest that everyone consults with their own lawyers about what actions they do or do not want to take?

Obviously the original comment about sending a legal letter was made out of frustration because reaching an actual human at some of these megacorps is often like pulling teeth. I don't blame them for being frustrated. With that said, I cannot fathom how citing some cases and section 230 will help the original poster get a hold of someone at Amazon and/or resolve their issue.

-mu _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WQOPS73C...

WISPA may be the closest thing we have to an SMB ISP union. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Alex Buie via NANOG" <nanog@lists.nanog.org> To: "North American Network Operators Group" <nanog@lists.nanog.org> Cc: "John Levine" <johnl@iecc.com>, "Alex Buie" <abuie@cytracom.com> Sent: Thursday, May 29, 2025 8:29:33 PM Subject: Re: Amazon AWS cloudfront WAF block FWIW we regularly face this at $DAYJOB as a mid-sized nationwide business ISP and have all but given up. Ticketmaster, Hulu, Disney, and others which seem to use Neustar or IPQS simply seem uninterested in our mutual customers being able to do business with them. Ticketmaster suggested we ask our customers switch to their cellular hotspot to purchase tickets since “Verizon and AT&T run a tested and secure network”. Implying I don’t but being unable to tell me why that is their assessment. Are you freakin’ kidding me? IPQS especially seem to be the most extortive of the group, as they would not even entertain a conversation until we paid money to subscribe to their product and then after we paid basically told us to F off because we are a VPN in their eyes. Every single /32 IP in our customer eyeball network corresponds to a static assignment to one company/client/corporate entity, almost always a single physical business location but we do have some customers who have multi-building setups with tunnels or dark fiber. For all intents and purposes, these LOOK like single-office business grade connections. But because SD-WAN technology is used to deliver the circuits, they refuse to reclassify our IP space as anything other than a hazardous VPN. I sure hope they don’t find out that every eyeball network in America is using SD-WAN technology in 2025, but I digress. Maybe it’s time for a SMB ISP union? I kind of love the thought of all of us smaller AS teaming up to fight for what’s fair in internet governance. By strength in numbers of eyeballs served we have a lot of combined weight to effect commerce and customer service experiences for these brands that have snubbed some of our brethren via our routing and performance policies. Probably off the wall. This entire email should be construed as my personal opinion and not the public position of my employer. *Alex* On Thu, May 29, 2025 at 9:18 PM Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:

...

I cannot fathom how citing some cases and section 230 will help the original poster get a hold of someone at Amazon and/or resolve their

issue.

It won't, no. But not much else will either.

AWS default WAF lists are notoriously bad. They often include things they shouldn't. If you are an AWS customer they'll tell you to make your own edits to fix these problems. If you aren't (as in the OP's case ), they won't even really talk to you, as the OP experienced.

It's of course exceptionally frustrating when you're in the OP's shoes with this stuff, but this is the unfortunate reality when people chose to use ass products like this.

On Thu, May 29, 2025 at 3:52 PM Mu via NANOG <nanog@lists.nanog.org> wrote:

...

On Thursday, May 29th, 2025 at 3:35 PM, John Levine via NANOG < nanog@lists.nanog.org> wrote:

...

It appears that William Herrin via NANOG nanog@lists.nanog.org said:

...

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch trelane@trelane.net wrote:

...

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

Hi Andrew,

The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith.

Uh, no. I have no duty to believe what you claim.

Having looked at a lot of case law I can tell you that the only case where a court did not find good faith was a strange one where one anti-malware service listed another (for what looked like good reasons) and a court assumed that since they were direct competitors it wasn't good faith. Other than that, if I think your traffic is objectionable, I can reject it.

See

https://blog.ericgoldman.org/archives/2024/06/this-case-keeps-wrecking-inter...

...

...

In practice, threatening to sue Amazon is a dumb thing to do because

...

far more lawyers and experience and money than you do. This is obviously a screwup and figuring out who to ask nicely is far more likely to work

they have than

...

sending threats you can't actually carry out.

R's, John

PS: Wasn't the original question from someone in South Africa? I have no idea what their law is like, or if Amazon even has enough presence there to sue. _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/QGOVMLWJ...

...

Respectfully, is anyone here an actual lawyer giving legal advice?

If not, can we maybe just suggest that everyone consults with their own lawyers about what actions they do or do not want to take?

Obviously the original comment about sending a legal letter was made out of frustration because reaching an actual human at some of these

megacorps

...

is often like pulling teeth. I don't blame them for being frustrated. With that said, I cannot fathom how citing some cases and section 230 will help the original poster get a hold of someone at Amazon and/or resolve their issue.

-mu _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WQOPS73C... _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SD7KRQCP...

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/465SNE2A...

Out of curiosity, is there a reasonably clear document somewhere that describes how such network-level block lists should be operated from the view of network operators; i.e., a “best practice” statement that outlines the expectations regarding how a well-run network-level access list should go about adding entries, handle queries about veracity of entries, and removing them? (I honestly do not know, having been removed from network operations for quite some time.) I note that having such expectations clearly documented allows for a variety of activities, including discussions of compliance – and is the first step to recasting the issue from “my network is having problems because it’s {wrongly} on the FooBlockList” to “The issue is that FooBlockList isn’t compliant with accepted best practices in this area.” /John

On May 29, 2025, at 9:18 PM, Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:

...

I cannot fathom how citing some cases and section 230 will help the original poster get a hold of someone at Amazon and/or resolve their issue.

It won't, no. But not much else will either.

AWS default WAF lists are notoriously bad. They often include things they shouldn't. If you are an AWS customer they'll tell you to make your own edits to fix these problems. If you aren't (as in the OP's case ), they won't even really talk to you, as the OP experienced.

It's of course exceptionally frustrating when you're in the OP's shoes with this stuff, but this is the unfortunate reality when people chose to use ass products like this.

On Thu, May 29, 2025 at 3:52 PM Mu via NANOG <nanog@lists.nanog.org> wrote:

...

On Thursday, May 29th, 2025 at 3:35 PM, John Levine via NANOG < nanog@lists.nanog.org> wrote:

...

It appears that William Herrin via NANOG nanog@lists.nanog.org said:

...

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch trelane@trelane.net wrote:

...

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

Hi Andrew,

The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith.

Uh, no. I have no duty to believe what you claim.

Having looked at a lot of case law I can tell you that the only case where a court did not find good faith was a strange one where one anti-malware service listed another (for what looked like good reasons) and a court assumed that since they were direct competitors it wasn't good faith. Other than that, if I think your traffic is objectionable, I can reject it.

See https://blog.ericgoldman.org/archives/2024/06/this-case-keeps-wrecking-inter...

In practice, threatening to sue Amazon is a dumb thing to do because they have far more lawyers and experience and money than you do. This is obviously a screwup and figuring out who to ask nicely is far more likely to work than sending threats you can't actually carry out.

R's, John

PS: Wasn't the original question from someone in South Africa? I have no idea what their law is like, or if Amazon even has enough presence there to sue. _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/QGOVMLWJ...

Respectfully, is anyone here an actual lawyer giving legal advice?

If not, can we maybe just suggest that everyone consults with their own lawyers about what actions they do or do not want to take?

Obviously the original comment about sending a legal letter was made out of frustration because reaching an actual human at some of these megacorps is often like pulling teeth. I don't blame them for being frustrated. With that said, I cannot fathom how citing some cases and section 230 will help the original poster get a hold of someone at Amazon and/or resolve their issue.

-mu _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WQOPS73C...

---

NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SD7KRQCP...

Thanks, John – while cast in DNS-based lists, the RFC definitely includes quite a bit of best practice about blocklist management in general. You make an excellent point about the difficulty of running a useful blocklist; unlike some other areas of Internet infrastructure (e.g., routing with routing table entries, route objects, etc. as visible artifacts), it’s nowhere near as evident whether a blocklist is behaving appropriately – the list and/or individual entries may be visible, but the information feeds that drive such listings are far more opaque. It’s kind of a shame, because our track record for Internet infrastructure would suggest that public visibility and transparency in an area tend to drive improvements in operational coordination – sometimes that’s the result of Internet researchers studying the data and making suggestions, other times it’s industry joint initiatives (e.g., MANRS), and worst case, it’s calling out the bad cases publicly; hard to do any of that given the murky nature of blocklist management… /John

On Jun 1, 2025, at 9:41 AM, John R. Levine <johnl@iecc.com> wrote:

On Sun, 1 Jun 2025, John Curran wrote:

...

Out of curiosity, is there a reasonably clear document somewhere that describes how such network-level block lists should be operated from the view of network operators; i.e., a “best practice” statement ...

Sort of. See RFC 6471, Overview of Best Email DNS-Based List (DNSBL) Operational Practices.

Running a useful blocklist is very hard. Everyone who's listed insists that it's a mistake. Sometimes they have odd ideas of their responsibility ("we have no control over the customer, we just take their money and route their packets".) Sometimes they are sure they are special so the regular rules don't apply. Sometimes they are confused. Often they just lie. Occasionally, there really is a mistake but recoginizing it in the noise is not easy.

Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly

On Sun, 1 Jun 2025, John Curran wrote:

Thanks, John – while cast in DNS-based lists, the RFC definitely includes quite a bit of best practice about blocklist management in general.

You make an excellent point about the difficulty of running a useful blocklist; unlike some other areas of Internet infrastructure (e.g., routing with routing table entries, route objects, etc. as visible artifacts), it’s nowhere near as evident whether a blocklist is behaving appropriately – the list and/or individual entries may be visible, but the information feeds that drive such listings are far more opaque.

It's a problem we've been thinking about for literal decades. The bad guys can read anything that's public, and I can assure you that if there were a spec that said we'll block anything that's more than 5% bad traffic, they'd figure out how to send 4.9999% bad traffic and then bulk up the denominator with traffic that is useless but doesn't provoke complaints. So the rules have to be opaque. There are hundreds of blocklists, viz. the list at multirbl.valli.org but in practice there's only a handful that are widely used. Spamhaus is clearly the leader, then perhaps Trend Micro which is the descendent of Vixie's MAPS RBL. Spamhaus' lists are mostly intended for mail and similar messaging but they do have DROP, Don't Route Or Peer, which is a list of networks from which they suggest you accept no traffic at all. DROP is very conservatively managed, never had reason to think it blocked traffic I want. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly

On Thu, May 29, 2025 at 12:34 PM John Levine via NANOG <nanog@lists.nanog.org> wrote:

It appears that William Herrin via NANOG <nanog@lists.nanog.org> said:

...

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch <trelane@trelane.net> wrote:

...

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith.

Uh, no. I have no duty to believe what you claim.

Hi John, That is correct as far as it goes. However, if I *tell you* that you're hurting me and your response is, "I don't believe you and I can't be bothered to check," you are acting in bad faith. That doesn't necessarily make it unlawful, but any protections you had based on "good faith" are out the window. That's how Cox got smacked around in their piracy lawsuit: they reacted to notification in bad faith. Remember, the whole argument I made hinges on the premise that OP believes that if he could just talk to a human being responsible for the blocking activity and make his case, that human being, upon checking and confirming his presented facts, would agree with him. If that doesn't hold, then neither does my argument. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/

I think this has really blown off course. Someone simply wants to find a knowledgable person inside a very large organization so their relatively small org can follow whatever rules are necessary to get off a list. The point of demand letters & lawsuits are, IMHO, either someone’s frustration showing or hyperbole or perhaps engineers not understanding how the law works. The “root cause” here is, at its simplest, an attempt to connect two clueful engineers in two separate organizations to solve an engineering problem. Seems like a perfectly reasonable request to me. Also seems like something that is hard to get a “hyperscaler” to pay attention to. Who here has never had a problem finding the right person at another company over the years? So let’s help them solve the underlying problem and connect the right people. If not for the good of the Internet, then to lower the lawyers’ billable hours - something I hope everyone can support! -- TTFN, patrick P.S. I Am Not A Lawyer. (Hell, I am not even an ISP. :) But then, neither are Bill or Andrew AFAIK. That said, who can resist a bit of NOT LEGAL ADVICE for aspiring engineers-playing-lawyers-on-TV? 1) SLAPP laws do not exist in every state in the US. In some states where they do exist, they suck. Outside the US it gets even weirder. And in states where they do exist and are considered good by lawyers, they are still not a get-out-of-court-for-zero-dollars card. Which is a long-winded way of saying you should not depend on them as an iron-clad protection. (Ken White is well respected and has an easy to understand primer on Anti-SLAPP suits: https://www.popehat.com/p/what-is-an-anti-slapp-anyway-a-lawsplainer.) 2) Good faith is not, AIUI, what you say below Bill. Just ‘cause I am blocking you after you told me “I do not want you to block me” does not mean, as a matter of law, that I am operating in bad faith. Nor is my blocking your IP address guaranteed to be tortious interference, even if my customer asks me to stop blocking it. There is way more to it than that. Again, not a lawyer, etc., etc., but I have been doing this a while and have run into similar situations where actual lawyers told me things I (perhaps incorrectly) believe are relevant here. 3) Even real lawyers with decades of experience would not be as certain in their statements as the engineers-pretending-to-be-lawyers on this list are. (Not just the people in this thread, but in general.) I urge everyone to take a page out of their playbook. When you ask a lawyer a question, the answer is always “it depends”. Doesn’t matter what the question is. “What did you have to breakfast?”, “It depends, do you mean this morning or before 11 AM or ….” Sure, they might follow up with a “likely to prevail” comment sometimes, but do you want to risk massive legal bills - perhaps your entire corporation - on “likely”? I urge you all to be a bit more conservative & humble.

On May 29, 2025, at 14:52, William Herrin via NANOG <nanog@lists.nanog.org> wrote:

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch <trelane@trelane.net> wrote:

...

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

Hi Andrew,

The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith. You've either investigated my complaint and determined your action is reasonable and correct, investigated my complaint and fixed your error, or failed to investigate my complaint. Whichever way you go, it's no longer a "good faith" matter and this section of the statute no longer applies. Your following action has to stand the test of reasonability without it.

In the Spamhaus case, their defense was: "We merely published a summary of our observations about the plaintiff's behavior." That's an objectively reasonable thing to do.

...

I don't have to accept your traffic. Amazon doesn't have to accept your traffic. No one has to accept your traffic. I can deny your traffic for any lawful reason even if that traffic might be otherwise constitutionally protected.

"We reserve the right to refuse service," is a very common sign but it has no force of law. If you refuse service without a reasoned and articulable cause, you run afoul of a thousand statutes and precedents which bound the lawful causes for doing so. Tortious interference is one of those precedents. It says that if you knowingly prevent third parties from completing a reasonable and lawful contract with each other, you're liable for the damage that interference causes.

There are, of course, many more lawful reasons for refusing service than unlawful ones. But you can't be arbitrary or capricious about it; you have to be able to articulate a cause for that specific refusal that a reasonable person would find sensible.

Section 230 doesn't undo the tortious interference precedents. It just reminds the judge that _knowingly_ is a part of the claim the plaintiff must prove with specificity. That your interference was unintentional is a winning affirmative defense.

tl;dr: you claim that section 230 means ISPs can legally do whatever they want blocking network traffic no matter how reckless. That's simply not the case. It protects ISPs behaving _reasonably_.

Regards, Bill Herrin

-- William Herrin bill@herrin.us https://bill.herrin.us/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GFCQVZFR...

On May 29, 2025, at 16:20, William Herrin <bill@herrin.us> wrote:

On Thu, May 29, 2025 at 12:37 PM patrick via NANOG <nanog@lists.nanog.org> wrote:

...

I think this has really blown off course. Someone simply wants to find a knowledgable person inside a very large organization so their relatively small org can follow whatever rules are necessary to get off a list. The point of demand letters & lawsuits are, IMHO, either someone’s frustration showing or hyperbole or perhaps engineers not understanding how the law works.

Hi Patrick,

The point of demand letters is to cut through the bureaucracy to that "knowledgeable person" you mentioned. When the organization offers more reasonable ways to reach that "knowledgeable person," demand letters are rarely necessary. You can think of a demand letter as the last engineering solution you try before falling back on legal processes to compel change.

First, no company I know or have even heard of would let an engineer send a demand letter. Only lawyers do that. Also, most companies (all? at least all big companies - to a first approximation) have rules around “if the other side involves a lawyer, we have to engage one on our side”. If by some miracle an engineer did send the demand letter, it would almost certainly still trigger legal involvement on the receiving end, which changes the dynamic drastically. So no, it is not an engineering solution. Sometimes it is the right action, but we are not going to lay out all the possible situations on a mailing list. Should one have been sent in this case? I honestly do not know, and neither do you. I doubt the OP does. However, the OP said it broke the log jam, so yay, it worked. (Before anyone says that proves it was the right action, please put down your mouse and step away from the keyboard slowly.) TL:DR: I counsel against thinking of it as “before falling back on legal”. You passed that rubric by sending the letter. -- TTFN, patrick

Without attempting to actually clarify what tortious interference actually is, let's just make it clear that Bill's attempted explanation isn't it. On Thu, May 29, 2025 at 2:54 PM William Herrin via NANOG < nanog@lists.nanog.org> wrote:

On Thu, May 29, 2025 at 10:57 AM Andrew Kirch <trelane@trelane.net> wrote:

...

(A)any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected

Hi Andrew,

The key phrase here is "taken in good faith." After I've notified you of an error, your action stops being good faith. You've either investigated my complaint and determined your action is reasonable and correct, investigated my complaint and fixed your error, or failed to investigate my complaint. Whichever way you go, it's no longer a "good faith" matter and this section of the statute no longer applies. Your following action has to stand the test of reasonability without it.

In the Spamhaus case, their defense was: "We merely published a summary of our observations about the plaintiff's behavior." That's an objectively reasonable thing to do.

...

I don't have to accept your traffic. Amazon doesn't have to accept your traffic. No one has to accept your traffic. I can deny your traffic for any lawful reason even if that traffic might be otherwise constitutionally protected.

"We reserve the right to refuse service," is a very common sign but it has no force of law. If you refuse service without a reasoned and articulable cause, you run afoul of a thousand statutes and precedents which bound the lawful causes for doing so. Tortious interference is one of those precedents. It says that if you knowingly prevent third parties from completing a reasonable and lawful contract with each other, you're liable for the damage that interference causes.

There are, of course, many more lawful reasons for refusing service than unlawful ones. But you can't be arbitrary or capricious about it; you have to be able to articulate a cause for that specific refusal that a reasonable person would find sensible.

Section 230 doesn't undo the tortious interference precedents. It just reminds the judge that _knowingly_ is a part of the claim the plaintiff must prove with specificity. That your interference was unintentional is a winning affirmative defense.

tl;dr: you claim that section 230 means ISPs can legally do whatever they want blocking network traffic no matter how reckless. That's simply not the case. It protects ISPs behaving _reasonably_.

Regards, Bill Herrin

-- William Herrin bill@herrin.us https://bill.herrin.us/ _______________________________________________ NANOG mailing list

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GFCQVZFR...

Bill, that's the typical definition that I've used and it's what I'm referring to in this type of relationship. Reiterated, "This threat list service is labeling my customer as a threat, and that is interfering with my ability to enable them to reach the entire internet." Lots of details are not said, it is a high standard to meet, but it is a term that "their guys" understand, which is usually enough to get that constructive conversation. I also reiterate my previous point that if the constructive conversation were easier to start, we'd have a internet with better neighbors. These threat lists do not even send abuse emails to us on our ARIN listed contacts - only the DMCA guys do that. Eric ________________________________ From: William Herrin via NANOG <nanog@lists.nanog.org> Sent: Thursday, May 29, 2025 4:03 PM To: Tom Beecher <beecher@beecher.cc> Cc: North American Network Operators Group <nanog@lists.nanog.org>; William Herrin <bill@herrin.us> Subject: Re: Amazon AWS cloudfront WAF block On Thu, May 29, 2025 at 12:39 PM Tom Beecher <beecher@beecher.cc> wrote:

Without attempting to actually clarify what tortious interference actually is, let's just make it clear that Bill's attempted explanation isn't it.

https://en.wikipedia.org/wiki/Tortious_interference "As an example, someone [...] could obstruct someone's ability to honor a contract with a client by deliberately refusing to deliver necessary goods." I hate using wikipedia to "prove" a point, but if you want to understand something in plain language it's a pretty good place to start reading. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ZHCWOQKI...

If you have some tricks on how to be removed from said blacklists, it would be much appreciated. https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/80.67.19... is listed as VPN/proxy. My guess is that because my LIR announces the whole /19 and at some point some IPs of this /19 were used as open VPN, while my IPs aren’t in that case. Alarig On Thu 29 May 2025 01:20:51 GMT, Eric C. Miller via NANOG wrote:

We're still playing whack a mole with our IP space. I've asked our corporate counsel about sending demand letters with an accusation of tortious interference.

IP Quality Score seems to be a big nuisance. Check a few of your IPs on their website.

No silver bullets though.

Eric

________________________________ From: paul--- via NANOG <nanog@lists.nanog.org> Sent: Wednesday, May 28, 2025 10:18:55 AM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: paul@vanilla.capetown <paul@vanilla.capetown> Subject: Amazon AWS cloudfront WAF block

Hi all

Most if not all of our prefixes are on some sort of AWS WAF deny list, that or our ASN is listed.

We are an eyeball network, geo-location websites e.g maxmind are correctly displaying the correct location and services for our prefixes.

We do not have a support contract with amazon aws to create a support ticket. Various websites are now blocked, e.g Reddit and many more. It is not feasible for us to reach out to each one to adjust their aws waf filters.

Upon emailing AWS this is their reply:

"The best course of action would be to contact Neustar and or MaxMind who are 3rd party WAF aggregators on this to address any issues with WAF blocking."

This is also not fair and frankly a rabbit hole we do not want to go down. These are also paid for services. AWS is almost holding our ASN/Prefixes as hostage to these paid for services with no easy way to check why we are being blocked, and getting off "some" list.

Anyone have an idea / contact or what to do? _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/NC6Q4WG7... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/K7TEXONR...