WASHINGTON -- The small city of Battle Creek, Michigan, wants to lock up an anti-spam activist who it believes crashed its mail server.
Never mind that the town government was using a buggy version of the Lotus Domino e-mail server, and that newer releases have fixed the problem. And never mind that anti-spammers may have been conducting a routine scan for possible sources of bulk e-mail.
Battle Creek, a town of 54,000 best known as the headquarters of the Kellogg's cereal company, is on the warpath.
Robert Drewry, a Battle Creek detective, said on Wednesday he was hoping to file felony charges of computer intrusion against the person at the Orbz anti-spam service who contacted the Domino server, and caused e-mail to crash for 24 hours. "If we can identify the person responsible, yes, we will prosecute," Drewry said.
This new Battle of Battle Creek -- the first one in 1824 pitted local Indians against surveyors -- began when an Orbz computer allegedly connected to the town's mail server to see if it might be an anti-spammer bugaboo: A relay point for bulk e-mailers.
It wasn't. But it was running an old Lotus Domino version, and what would normally have been a routine test by Orbz allegedly caused the server to mail-bomb itself into a tizzy.
Cindy Hale, a systems administrator for the town, said she was the one who had to deal with the crash.
"We had to get with our Cisco expert and get into our firewall and make some changes in there and make some changes to our (Lotus) server to not accept anymail from Orbz," Hale said.
Then Hale did what has incited a feeding frenzy this week in the online communities devoted to canning spam: She called the cops. "I just called our police department and asked if they wanted to investigate any further and there we are," Hale said.
Hale's phone call and subsequent police investigation have led activists on the spam-l mailing list and and news.admin.net-abuse.email newsgroup to vow that "Battle Creek will soon become Battle Stations," and already has prompted talk of a legal defense fund for Orbz.
The activist at the center of this controversy, who could face up to 10 years in prison under Michigan criminal law, is Ian Gulliver, a 20-year-old systems administrator who lives near Ghent, New York. Gulliver is the administrator for the Orbz (pronounced "orb-zee") blacklist.
Created last June, Orbz is one of the newer incarnations of blacklists assembled by devoted activists fed up with clogged connections, cluttered inboxes and overflowing mail spools.
It lists about 70,000 open relays that spammers typically rely on to spread bulk e-mail. Network administrators can configure their systems to reject, discard or return any mail that comes from an address appearing on Orbz's blacklist.
Orbz claims some distinguished customers, including about 200 large institutions -- Intel and AT&T Research among them -- who regularly download the latest spammer blacklist, plus tens of thousands of individual users.
More importantly, Orbz relies on the same connect-to-a-mail-server technique that's commonplace on the Internet. The Orbz queries -- phrased in the MAIL FROM syntax -- may have given a buggy Lotus Domino server fits, but they appear to be perfectly compliant with Internet standards.
Gulliver discovered the Lotus Domino problem last year. In August, he sent an alert to the bugtraq mailing list saying Orbz had learned that its queries could "cause Lotus Domino to enter a mail routing loop and consume 100 percent CPU." (Lotus has since released a patch.)
Gulliver said he first learned of the investigation at 10:15 p.m. EST on Tuesday, when he visited his post office box and picked up a certified letter. In it was a search warrant signed by a Michigan judge that authorized the search and seizure of all data relating to Orbz accounts.
It wasn't technically compulsory because it was an out-of-state court order, but Gulliver took no chances.
He immediately pulled the plug on the orbz.org site and posted a message on the Orbz mailing list saying: "I was happy to try to weather any civil issues that may have come up, and I was committed to seeing it through. However, the threat of jail time is too much; I don't believe in this fight quite that much."
"If you could be arrested for sending mail that just happened to crash someone's mail server, there would be no more e-mail," Gulliver said on Wednesday. "Nobody would dare to send it."
He would not release a copy of the search warrant, saying that his lawyer had advised him against it.
Detective Drewry says that the Orbz query to the city mail server was felonious because it "went a little bit further than just a scan to see if a port was open or to see if a machine had a fault or a software bug wasn't fixed. It caused a disruption of our e-mail service for 24 hours."
He said that county prosecutors are aware of the case -- "all of our search warrants in our county have to be presented to a prosecutor before they are sworn before a magistrate" -- and the police department is eager to continue the investigation.
Michigan's computer crime law, enacted in 1979, says that "a person shall not intentionally and without authorization gain access to, alter, damage or destroy a computer software program or data." Access is defined broadly, meaning any sort of communication with a computer connected to a network.
Barry Steinhardt, the associate director of the ACLU, says that not only is publishing an Orbz-style blacklist legal, but contacting mail servers should be as well.
"Should that be a criminal act? I think not," Steinhardt said. "Testing security is not only a well-established practice on the Internet, but it's an important practice on the Internet. It's how we determine whether systems are secure."
But Steinhardt said that if Battle Creek wanted to pursue the case, it would encounter few problems persuading a New York judge to enforce a search warrant from a Michigan court.
