idnits 2.17.1 draft-ietf-run-spew-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing document type: Expected "INTERNET-DRAFT" in the upper left hand corner of the first page ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard == It seems as if not all pages are separated by form feeds - found 0 form feeds but 18 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack an Authors' Addresses Section. ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 3 instances of too long lines in the document, the longest one being 6 characters in excess of 72. == There are 2 instances of lines with non-RFC2606-compliant FQDNs in the document. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 1999) is 9141 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. '1' ** Downref: Normative reference to an Informational RFC: RFC 2196 (ref. '2') -- Possible downref: Non-RFC (?) normative reference: ref. '3' -- Possible downref: Non-RFC (?) normative reference: ref. '4' ** Obsolete normative reference: RFC 822 (ref. '5') (Obsoleted by RFC 2822) Summary: 11 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IETF RUN Working Group Sally Hambridge/Intel 3 draft-ietf-run-spew-08.txt Albert Lunde/Northwestern University 4 April 1999 6 DON'T SPEW 7 A Set of Guidelines for Mass Unsolicited 8 Mailings and Postings (spam*) 10 Abstract 12 This document explains why mass unsolicited electronic mail messages 13 are harmful in the Internetworking community. It gives a set of 14 guidelines for dealing with unsolicited mail for users, for system 15 administrators, news administrators, and mailing list managers. It 16 also makes suggestions Internet Service Providers might follow. 18 Status of This Memo 20 This document is an Internet-Draft and is in full conformance with 21 all provisions of Section 10 of RFC2026. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 Comments on this draft should be sent to ietf-run@mailbag.intel.com. 41 1. Introduction 43 The Internet's origins in the Research and Education communities 44 played an important role in the foundation and formation of Internet 45 culture. This culture defined rules for network etiquette 46 (netiquette) and communication based on the Internet's being 47 relatively off-limits to commercial enterprise. 49 This all changed when U.S. Government was no longer the primary 50 funding body for the U.S. Internet, when the Internet truly went 51 global, and when all commercial enterprises were allowed to join what 52 had been strictly research networks. Internet culture had become 53 deeply embedded in the protocols the network used. Although the 54 social context has changed, the technical limits of the Internet 55 protocols still require a person to enforce certain limits on 56 resource usage for the 'Net to function effectively. Strong 57 authentication was not built into the News and Mail protocols. The 58 only thing that is saving the Internet from congestion collapse is 59 the voluntary inclusion of TCP backoff in almost all of the TCP/IP 60 driver code on the Internet. There is no end-to-end cost accounting 61 and/or cost recovery. Bandwidth is shared among all traffic without 62 resource reservation (although this is changing). 64 Unfortunately for all of us, the culture so carefully nurtured 65 through the early years of the Internet was not fully transferred to 66 all those new entities hooking into the bandwidth. Many of those 67 entities believe they have found a paradise of thousands of potential 68 customers each of whom is desperate to learn about stunning new 69 business opportunities. Alternatively, some of the new netizens 70 believe all people should at least hear about the one true religion 71 or political party or process. And some of them know that almost no 72 one wants to hear their message but just can't resist how inexpensive 73 the net can be to use. While there may be thousands of folks 74 desperate for any potential message, mass mailings or Netnews 75 postings are not at all appropriate on the 'Net. 77 This document explains why mass unsolicited email and Netnews posting 78 (aka spam) is bad, what to do if you get it, what webmasters, 79 postmasters, and news admins can do about it, and how an Internet 80 Service Provider might respond to it. 82 2. What is Spam*? 84 The term "spam" as it is used to denote mass unsolicited mailings or 85 netnews postings is derived from a Monty Python sketch set in a 86 movie/tv studio cafeteria. During that sketch, the word "spam" takes 87 over each item offered on the menu until the entire dialogue consists 88 of nothing but "spam spam spam spam spam spam and spam." This so 89 closely resembles what happens when mass unsolicited mail and posts 90 take over mailing lists and netnews groups that the term has been 91 pushed into common usage in the Internet community. 93 When unsolicited mail is sent to a mailing list and/or news group it 94 frequently generates more hate mail to the list or group or apparent 95 sender by people who do not realize the true source of the message. 96 If the mailing contains suggestions for removing your name from a 97 mailing list, 10s to 100s of people will respond to the list with 98 "remove" messages meant for the originator. So, the original message 99 (spam) creates more unwanted mail (spam spam spam spam), which 100 generates more unwanted mail (spam spam spam spam spam spam and 101 spam). Similar occurrences are perpetrated in newsgroups, but this 102 is held somewhat in check by "cancelbots" (programs which cancel 103 postings) triggered by mass posting. Recently, cancelbots have grown 104 less in favor with those administering News servers since the 105 cancelbots are now generating the same amount of traffic as spam. 106 Even News admins are beginning to use filters, demonstrating that 107 spam spam spam spam spam spam and spam is a monumental problem. 109 3. Why Mass Mailing is Bad 111 In the world of paper mail we're all used to receiving unsolicited 112 circulars, advertisements, and catalogs. Generally we don't object 113 to this - we look at what we find of interest, and we discard/recycle 114 the rest. Why should receiving unsolicited email be any different? 116 The answer is that the cost model is different. In the paper world, 117 the cost of mailing is borne by the sender. The sender must pay for 118 the privilege of creating the ad and the cost of mailing it to the 119 recipient. An average paper commercial mailing in the U.S. ends up 120 costing about $1.00 per addressee. In the world of electronic 121 communications, the recipient bears the majority of the cost. Yes, 122 the sender still has to compose the message and the sender has to pay 123 for Internet connectivity. However, the recipient ALSO has to pay 124 for Internet connectivity and possibly also connect time charges and 125 for disk space. For electronic mailings the recipient is expected to 126 help share the cost of the mailing. Bulk Internet mail from the U.S. 127 ends up costing the sender only about 1/100th of a cent per address; 128 or FOUR ORDERS of magnitude LESS than bulk paper mailings! 130 Of course, this cost model is very popular with those looking for 131 cheap methods to get their message out. By the same token, it's very 132 unpopular with people who have to pay for their messages just to find 133 that their mailbox is full of junk mail. Neither do they appreciate 134 being forced to spend time learning how to filter out unwanted 135 messages. Consider this: if you had to pay for receiving paper mail 136 would you pay for junk mail? 138 Another consideration is that the increase in volume of spam will 139 have an impact on the viability of electronic mail as a 140 communications medium. If, when you went to your postal mail box you 141 found four crates of mail, would you be willing to search through the 142 crates for the one or two pieces of mail which were not advertising? 143 Spam has a tremendous potential to create this scenario in the 144 electronic world. 146 Frequently spammers indulge in unethical behavior such as using mail 147 servers which allow mail to be relayed to send huge amounts of 148 electronic solicitations. Or they forge their headers to make it 149 look as if the mail originates from a different domain. These people 150 don't care that they're intruding into a personal or business mailbox 151 nor do they care that they are using other people's resources without 152 compensating them. 154 The huge cost difference has other bad effects. Since even a very 155 cheap paper mailing is going to cost tens of (U.S.) cents there is a 156 real incentive to send only to those really likely to be interested. 157 So paper bulk mailers frequently pay a premium to get high quality 158 mailing lists, carefully prune out bad addresses and pay for services 159 to update old addresses. Bulk email is so cheap that hardly anyone 160 sending it bothers to do any of this. As a result, the chance that 161 the receiver is actually interested in the mail is very, very, very 162 low. 164 As of the date of this document, it is a daily event on the Internet 165 for a mail service to melt-down due to an overload of spam. Every 166 few months this happens to a large/major/regional/ 167 national/international service provider resulting in denial of or 168 severe degradation of service to hundreds of thousands of users. 169 Such service degradations usually prompt the providers to spend 170 hundreds of thousands of dollars upgrading their mail service 171 equipment just because of the volume of spam. Service providers pass 172 those costs on to customers. 174 Doesn't the U.S. Constitution guarantee the ability to say whatever 175 one likes? First, the U.S. Constitution is law only in the U.S., and 176 the Internet is global. There are places your mail will reach where 177 free speech is not a given. Second, the U.S. Constitution does NOT 178 guarantee one the right to say whatever one likes. In general, the 179 U.S. Constitution refers to political freedom of speech and not to 180 commercial freedom of speech. Finally, and most importantly, the U.S. 181 Constitution DOES NOT guarantee the right to seize the private 182 property of others in order to broadcast your speech. The Internet 183 consists of a vast number of privately owned networks in voluntary 184 cooperation. There are laws which govern other areas of electronic 185 communication, namely the "junk fax" laws. Although these have yet 186 to be applied to electronic mail they are still an example of the 187 "curbing" of "free speech." Free speech does not, in general, 188 require other people to spend their money and resources to deliver or 189 accept your message. 191 Most responsible Internet citizens have come to regard unsolicited 192 mail/posts as "theft of service". Since the recipient must pay for 193 the service and for the most part the mail/posts are advertisements 194 of unsolicited "stuff" (products, services, information) those 195 receiving it believe that the practice of making the recipient pay 196 constitutes theft. 198 The crux of sending large amounts of unsolicited mail and news is not 199 a legal issue so much as an ethical one. If you are tempted to send 200 unsolicited "information" ask yourself these questions: "Whose 201 resources is this using?" "Did they consent in advance?" "What 202 would happen if everybody (or a very large number of people) did 203 this?" "How would you feel if 90% of the mail you received was 204 advertisements for stuff you didn't want?" "How would you feel if 95% 205 of the mail you received was advertisements for stuff you didn't 206 want?" "How would you feel if 99% of the mail you received was 207 advertisements for stuff you didn't want?" 209 Although numbers on the volume and rate of increase of spam are not 210 easy to find, seat-of-the-pants estimates from the people on spam 211 discussion mailing lists [1] indicate that unsolicited mail/posts 212 seems to be following the same path of exponential growth as the 213 Internet as a whole [2]. This is NOT encouraging, as this kind of 214 increase puts a strain on servers, connections, routers, and the 215 bandwidth of the Internet as a whole. On a per person basis, 216 unsolicited mail is also on the increase, and individuals also have 217 to bear the increasing cost of increasing numbers of unsolicited and 218 unwanted mail. People interested in hard numbers may want to point 219 their web browsers to www.junkproof.com where the webmaster there 220 lists the number of spam messages he has filtered away from his 221 users. 223 Finally, sending large volumes of unsolicited email or posting 224 voluminous numbers of Netnews postings is just plain rude. Consider 225 the following analogy: Suppose you discovered a large party going on 226 in a house on your block. Uninvited, you appear, then join each 227 group in conversation, force your way in, SHOUT YOUR OPINION (with a 228 megaphone) of whatever you happen to be thinking about at the time, 229 drown out all other conversation, then scream "discrimination" when 230 folks tell you you're being rude. 232 To continue the party analogy, suppose instead of forcing your way 233 into each group you stood on the outskirts a while and listened to 234 the conversation. Then you gradually began to add comments relevant 235 to the discussion. Then you began to tell people your opinion of the 236 issues they were discussing; they would probably be less inclined to 237 look badly on your intrusion. Note that you are still intruding. 238 And that it would still be considered rude to offer to sell products 239 or services to the guests even if the products and services were 240 relevant to the discussion. You are in the wrong venue and you need 241 to find the right one. 243 Lots of spammers act as if their behavior can be forgiven by 244 beginning their messages with an apology, or by personalizing their 245 messages with the recipient's real name, or by using a number of 246 ingratiating techniques. But much like the techniques used by Uriah 247 Heep in Dickens' _David Copperfield_, these usually have an effect 248 opposite to the one intended. Poor excuses ("It's not illegal," 249 "This will be the only message you receive," "This is an ad," "It's 250 easy to REMOVE yourself from our list") are still excuses. Moreover, 251 they are likely to make the recipient MORE aggravated rather than 252 less aggravated. 254 In particular, there are two very severe problems with believing that 255 a "remove" feature to stop future mail helps: (1) Careful tests have 256 been done with sending remove requests for "virgin" email accounts 257 (that have never been used anywhere else). In over 80% of the cases, 258 this resulted in a deluge of unsolicited email, although usually from 259 other sources than the one the remove was sent to. In other words, 260 if you don't like unsolicited mail, you should think carefully before 261 using a remove feature because the evidence is that it will result in 262 more mail not less. (2) Even if it did work, it would not stop lots 263 of new unsolicited email every day from new businesses that hadn't 264 mailed before. 266 4a. ACK! I've Been Spammed - Now What? 268 It's unpleasant to receive mail which you do not want. It's even 269 more unpleasant if you're paying for connect time to download it. 270 And it's really unpleasant to receive mail on topics which you find 271 offensive. Now that you're good and mad, what's an appropriate 272 response? 274 First, you always have the option to delete it and get on with your 275 life. This is the easiest and safest response. It does not 276 guarantee you won't get more of the same in the future, but it does 277 take care of the current problem. Also, if you do not read your mail 278 on a regular basis it is possible that your complaint is much too 279 late to do any good. 281 Second, consider strategies that take advantage of screening 282 technology. You might investigate technologies that allow you to 283 filter unwanted mail before you see it. Some software allows you to 284 scan subject lines and delete unwanted messages before you download 285 them. Other programs can be configured to download portions of 286 messages, check them to see if they are advertising (for example) and 287 delete them before the whole message is downloaded. 289 Also, your organization or your local Internet Service Provider may 290 have the ability to block unwanted mail at their mail relay machines 291 and thus spare you the hassle of dealing with it at all. It is worth 292 inquiring about this possibility if you are the victim of frequent 293 spam. 295 Your personal mailer software may allow you to write rules defining 296 what you do and do not wish to read. If so, write a rule which sends 297 mail from the originator of the unwanted mail to the trash. This 298 will work if one sender or site repeatedly bothers you. You may also 299 consider writing other rules based on other headers if you are sure 300 the probability of them being activated for non-spam is low enough. 301 That way, although you may still have to pay to download it, you 302 won't have to read it! 304 Third, you may consider sending the mail back to the originator 305 objecting to your being on the mailing-list; however, we recommend 306 against this. First, a lot of spammers disguise who they are and 307 where their mail comes from by forging the mail headers. Unless you 308 are very experienced at reading headers discovering the true origin 309 of the mail will probably prove difficult. Although you can engage 310 your local support staff to help you with this, they may have much 311 higher priorities (such as setting up site-wide filters to prevent 312 spam from entering the site). Second, responding to this email will 313 simply verify your address as valid and make your address more 314 valuable for other (ab)uses (as was mentioned above in Section 3). 315 Third, even if the two previous things do not happen, very probably 316 your mail will be directed to the computer equivalent of a black hole 317 (the bit-bucket). 319 As of the writing of this document, there are several pieces of 320 pending legislation in several jurisdictions about the sending of 321 unsolicited mail and also about forging headers. If forging of 322 headers should become illegal, then responding to the sender is less 323 risky and may be useful. 325 Certainly we advocate communicating to the originator (as best as you 326 can tell) to let them know you will NOT be buying any products from 327 them as you object to the method they have chosen to conduct their 328 business (aka spam). Most responses through media other than 329 electronic mail (mostly by those who take the time to phone included 330 "800" (free to calling party in the U.S.) phone numbers) have proved 331 somewhat effective. You can also call the business the advertisement 332 is for, ask to speak to someone in authority, and then tell them you 333 will never buy their products or use their services because their 334 advertising mechanism is spam. 336 Next, you can carbon copy or forward the questionable mail messages 337 or news postings to your postmaster. You can do this by sending mail 338 "To: Postmaster@your-site.example." Your postmaster should be an 339 expert at reading mail headers and will be able to tell if the 340 originating address is forged. He or she may be able to pinpoint the 341 real culprit and help close down the site. If your postmaster wants 342 to know about unsolicited mail, be sure s/he gets a copy, including 343 headers. You will need to find out the local policy and comply. 345 *** IMPORTANT *** 347 Wherever you send a complaint, be sure to include the full headers 348 (most mail and news programs don't display the full headers by 349 default). For mail it is especially important to show the 350 "Received:" headers. For Usenet news, it is the "Path:" header. 351 These normally show the route by which the mail or news was 352 delivered. Without them, it's impossible to even begin to tell where 353 the message originated. See the appendix for an example of a mail 354 header. 356 There is lively and ongoing debate about the validity of changing 357 one's email address in a Web Browser in order to have Netnews posts 358 and email look as if it is originating from some spot other than 359 where it does originate. The reasoning behind this is that web email 360 address harvesters will not be getting a real address when it 361 encounters these. There is reason on both sides of this debate: If 362 you change your address, you will not be as visible to the 363 harvesters, but if you change your address, real people who need to 364 contact you will be cut off as well. Also, if you are using the 365 Internet through an organization such as a company, the company may 366 have policies about "forging" addresses - even your own! Most people 367 agree that the consequences of changing your email address on your 368 browser or even in your mail headers is fairly dangerous and will 369 nearly guarantee your mail goes into a black hole unless you are very 370 sure you know what you are doing. 372 Finally, DO NOT respond by sending back large volumes of unsolicited 373 mail. Two wrongs do not make a right; do not become your enemy; and 374 take it easy on the network. While the legal status of spam is 375 uncertain, the legal status (at least in the U.S.) of a "mail bomb" 376 (large numbers and/or sizes of messages to the site with the intent 377 of disabling or injuring the site) is pretty clear: it is criminal. 379 There is a web site called "www.abuse.net" which allows you to 380 register, then send your message to the name of the "offending- 381 domain@abuse.net," which will re-mail your message to the best 382 reporting address for the offending domain. The site contains good 383 tips for reporting abuse netnews or email messages. It also has some 384 automated tools that you may download to help you filter your 385 messages. Also check CIAC bulletin I-005 at: 387 http://ciac.llnl.gov/ciac/bulletins/i-005c.shtml 389 or at: 391 http://spam.abuse.net/spam/tools/mailblock.html. 393 Check the Appendix for a detailed explanation of tools and 394 methodology to use when trying to chase down a spammer. 396 4b. There's a Spam in My Group! 398 Netnews is also subject to spamming. Here several factors help to 399 mitigate against the propagation of spam in news, although they don't 400 entirely solve the problem. Newsgroups and mailing lists may be 401 moderated, which means that a moderator approves all mail/posts. If 402 this is the case, the moderator usually acts as a filter to remove 403 unwanted and off-topic posts/mail. 405 In Netnews there are programs which detect posts which have been sent 406 to multiple groups or which detect multiple posts from the same 407 source to one group. These programs cancel the posts. While these 408 work and keep unsolicited posts down, they are not 100% effective and 409 spam in newsgroups seems to be growing at an even faster rate than 410 spam in mail or on mailing lists. After all, it's much easier to 411 post to a newsgroup for which there are thousands of readers than it 412 is to find individual email addresses for all those folks. Hence the 413 development of the "cancelbots" (sometimes called "cancelmoose") for 414 Netnews groups. Cancelbots are triggered when one message is sent to 415 a large number of newsgroups or when many small messages are sent 416 (from one sender) to the same newsgroup. In general these are tuned 417 to the "Breidbart Index" [3] which is a somewhat fuzzy measure of the 418 interactions of the number of posts and number of groups. This is 419 fuzzy purposefully, so that people will not post a number of messages 420 just under the index and still "get away with it." And as noted 421 above, the cancel messages have reached such a volume now that a lot 422 of News administrators are beginning to write filters rather than 423 send cancels. Still spam gets through, so what can a concerned 424 netizen do? 426 If there is a group moderator, make sure s/he knows that off-topic 427 posts are slipping into the group. If there is no moderator, you 428 could take the same steps for dealing with news as are recommended 429 for mail with all the same caveats. 431 A reasonable printed reference one might obtain has been published by 432 O'Reilly and Associates, _Stopping Spam_, by Alan Schwartz and Simson 433 Garfinkel [4]. This book also has interesting histories of spammers 434 such as Cantor and Siegel, and Jeff Slaton. It gives fairly clear 435 instructions for filtering mail and news. 437 5. Help for Beleaguered Admins 439 As a system administrator, news administrator, local Postmaster, or 440 mailing-list administrator, your users will come to you for help in 441 dealing with unwanted mail and posts. First, find out what your 442 institution's policy is regarding unwanted/unsolicited mail. It is 443 possible that it won't do anything for you, but it is also possible 444 to use it to justify blocking a domain which is sending particularly 445 offensive mail to your users. If you don't have a clear policy, it 446 would be really useful to create one. If you are a mailing-list 447 administrator, make sure your mailing-list charter forbids off-topic 448 posts. If your internal-only newsgroups are getting spammed from the 449 outside of your institution, you probably have bigger security 450 problems than just spam. 452 Make sure that your mail and news transports are configured to reject 453 messages injected by parties outside your domain. Recently 454 misconfigured Netnews servers have become subject to hijacking by 455 spammers. SMTP source routing <@relay.host:user@dest.host> is 456 becoming deprecated due to its overwhelming abuse by spammers. You 457 should configure your mail transport to reject relayed messages (when 458 neither the sender nor the recipient are within your domain). Check: 460 http://www.sendmail.org/ 462 under the "Anti-Spam" heading. 464 If you run a firewall at your site, it can be configured in ways to 465 discourage spam. For example, if your firewall is a gateway host 466 that itself contains an NNTP server, ensure that it is configured so 467 it does not allow access from external sites except your news feeds. 468 If your firewall acts as a proxy for an external news-server, ensure 469 that it does not accept NNTP connections other than from your 470 internal network. Both these potential holes have recently been 471 exploited by spammers. Ensure that email messages generated within 472 your domain have proper identity information in the headers, and that 473 users cannot forge headers. Be sure your headers have all the 474 correct information as stipulated by RFC 822 [5] and RFC 1123 [6]. 476 If you are running a mailing-list, allowing postings only by 477 subscribers means a spammer would actually have to join your list 478 before sending spam messages, which is unlikely. Make sure your 479 charter forbids any off-topic posts. There is another spam-related 480 problem with mailing-lists which is that spammers like to retaliate 481 on those who work against them by mass-subscribing their enemies to 482 mailing-lists. Your mailing-list software should require 483 confirmation of the subscription, and only then should the address be 484 subscribed. 486 It is possible, if you are running a mail transfer agent that allows 487 it, to block persistant offending sites from ever getting mail into 488 your site. However, careful consideration should be taken before 489 taking that step. For example, be careful not to block out sites for 490 which you run MX records! In the long run, it may be most useful to 491 help your users learn enough about their mailers so that they can 492 write rules to filter their own mail, or provide rules and kill files 493 for them to use, if they so choose. 495 There is information about how to configure sendmail available at 496 "www.sendmail.org." Help is also available at "spam.abuse.net." 498 Another good strategy is to use Internet tools such as whois and 499 traceroute to find which ISP is serving your problem site. Notify 500 the postmaster or abuse (abuse@offending-domain.example) address that 501 they have an offender. Be sure to pass on all header information in 502 your messages to help them with tracking down the offender. If they 503 have a policy against using their service to post unsolicited mail 504 they will need more than just your say-so that there is a problem. 505 Also, the "originating" site may be a victim of the offender as well. 506 It's not unknown for those sending this kind of mail to bounce their 507 mail through dial-up accounts, or off unprotected mail servers at 508 other sites. Use caution and courtesy in your approach to those who 509 look like the offender. 511 News spammers use similar techniques for sending spam to the groups. 512 They have been known to forge headers and bounce posts off "open" 513 news machines and remailers to cover their tracks. During the height 514 of the infamous David Rhodes "Make Money Fast" posts, it was not 515 unheard of for students to walk away from terminals which were logged 516 in, and for sneaky folks to then use their accounts to forge posts, 517 much to the later embarrassment of both the student and the 518 institution. 520 One way to lessen problems is to avoid using mail-to URLs on your web 521 pages. They allow email addresses to be easily harvested by those 522 institutions grabbing email addresses off the web. If you need to 523 have an email address prevalent on a web page, consider using a cgi 524 script to generate the mailto address. 526 Participate in mailing lists and news groups which discuss 527 unsolicited mail/posts and the problems associated with it. 528 News.admin.net-abuse.misc is probably the most well-known of these. 530 6. What's an ISP to Do 532 As an Internet Service Provider, you first and foremost should decide 533 what your stance against unsolicited mail and posts will be. If you 534 decide not to tolerate unsolicited mail, write a clear Acceptable Use 535 Policy which states your position and delineates consequences for 536 abuse. If you state that you will not tolerate use of your resource 537 for unsolicited mail/posts, and that the consequence will be loss of 538 service, you should be able to cancel offending accounts relatively 539 quickly (after verifying that the account really IS being mis-used). 540 If you have downstreaming arrangements with other providers, you 541 should make sure they are aware of any policy you set.. Likewise, you 542 should be aware of your upstream providers' policies. 544 Consider limiting access for dialup accounts so they cannot be used 545 by those who spew. Make sure your mail servers aren't open for mail 546 to be bounced off them (except for legitimate users). Make sure your 547 mail transfer agents are the most up-to-date version (which pass 548 security audits) of the software. 550 Educate your users about how to react to spew and spewers. Make sure 551 instructions for writing rules for mailers are clear and available. 552 Support their efforts to deal with unwanted mail at the local level - 553 taking some of the burden from your system administrators. 555 Make sure you have an address for abuse complaints. If complainers 556 can routinely send mail to "abuse@BigISP.example" and you have 557 someone assigned to read that mail, workflow will be much smoother. 558 Don't require people complaining about spam to use some unique local 559 address for complaints. Read and use 'postmaster' and 'abuse'. We 560 recommend adherence to RFC 2142, _Mailbox Names for Common Services, 561 Roles and Functions._ [7]. 563 Finally, write your contracts and terms and conditions in such 564 language that allows you to suspend service for offenders, and so 565 that you can impose a charge on them for your costs in handling the 566 complaints their abuse generates and/or terminating their account and 567 cleaning up the mess they make. Some large ISPs have found that they 568 can fund much of their abuse prevention staff by imposing such 569 charges. Make sure all your customers sign the agreement before 570 their accounts are activated. There is a list of "good" Acceptable 571 Use Policies and Terms of Service at: 573 http://spam.abuse.net/goodsites/index.html. 575 Legally, you may be able to stop spammers and spam relayers, but this 576 is certainly dependent on the jurisdictions involved. Potentially, 577 the passing of spam via third party computers, especially if the 578 headers are forged, could be a criminal action depending on the laws 579 of the particular jurisdiction(s) involved. If your site is being 580 used as a spam relay, be sure to contact local and national criminal 581 law enforcement agencies. Site operators may also want to consider 582 bringing civil actions against the spammer for expropriation of 583 property, in particular the computer time and network bandwidth. In 584 addition, when a mailing list is involved, there is a potential 585 intellectual property rights violation. 587 There are a few law suits in the courts now which claim spammers 588 interfered with and endangered network connectivity. At least one 589 company is attempting to charge spammers for the use of its networks 590 (www.kclink.com/spam/). 592 7. Security Considerations 594 Certain actions to stop spamming may cause problems to legitimate 595 users of the net. There is a risk that filters to stop spamming will 596 unintentionally stop legitimate mail too. Overloading postmasters 597 with complaints about spamming may cause trouble to the wrong person, 598 someone who is not responsible for and cannot do anything to avoid 599 the spamming activity, or it may cause trouble out of proportion to 600 the abuse you are complaining about. Be sure to exercise discretion 601 and good judgment in all these cases. Check your local escalation 602 procedure. The Site Security Handbook [2] can help define an 603 escalation procedure if your site does not have one defined. 605 Lower levels of network security interact with the ability to trace 606 spam via logs or message headers. Measures to stop various sorts of 607 DNS and IP spoofing can make this information more reliable. 608 Spammers can and will exploit obvious security weaknesses, especially 609 in NNTP servers. This can lead to denial of service, either from the 610 sheer volume of posts, or as a result of action taken by upstream 611 providers. 613 8. Acknowledgments 615 Thanks for help from the IETF-RUN working group, and also to all the 616 spew-fighters. Specific thanks are due to J.D. Falk, whose very 617 helpful Anti-spam FAQ proved valuable. Thanks are also due to the 618 vigilance of Scott Hazen Mueller and Paul Vixie, who run 619 spam.abuse.net, the Anti-spam web site. Thanks also to Jacob Palme, 620 Chip Rosenthal, Karl Auerbach for specific text: Jacob for the 621 Security Considerations section, Chip for the configuration 622 suggestions in section 5, Karl for the legal considerations. Andrew 623 Gierth was very helpful with Netnews spam considerations. And thanks 624 to Gary Malkin for proofing and formatting. 626 9. References 628 [1] See for example spam-l@peach.ease.lsoft.com 630 [2] Fraser, B., "Site Security Handbook," RFC 2196, September, 1997. 631 Available via anonymous ftp at: 632 ftp://ftp.isi.edu/in-notes/rfc2196.txt. 634 [3] "Current Spam thresholds and guidelines," Lewis, Chris and Tim 635 Skirvin, http:www.uiuc.edu/~tskirvin/spam.html. 637 [4] Schwartz, Alan and Simson Garfinkel, "Stopping Spam," O'Reilly 638 and Associates, 1998. 640 [5] Crocker, D., "Standard for the format of ARPA Internet text 641 messages," RFC 0822, August, 1982. Available via anonymous ftp 642 at: ftp://ftp.isi.edu/in-notes/rfc822.txt. 644 [6] Braden, R.T., "Requirements for Internet hosts - application and 645 support," RFC 1123, October, 1989. Available via anonymous ftp 646 at: ftp://ftp.isi.edu.in-notes/rfc1123.txt. 648 [7] Crocker, D., "Mailbox Names for Common Services, Roles and 649 Functions," RFC 2142, May, 1997. Available via anonymous ftp at: 650 ftp://ftp.isi.edu/in-notes/rfc2142.txt. 652 * Spam is a name of a meat product made by Hormel. "spam" (no 653 capitalization) is routinely used to describe unsolicited bulk 654 email and netnews posts. 656 10. Appendix - How to Track Down Spammers 658 In a large proportion of spams today, complaining to the postmaster 659 of the site that is the apparent sender of a message will have little 660 effect because either the headers are forged to disguise the source 661 of the message, or the senders of the message run their own 662 system/domain, or both. 664 As a result, it may be necessary to look carefully at the headers of 665 a message to see what parts are most reliable, and/or to complain to 666 the second or third-level Internet providers who provide Internet 667 service to a problem domain. 669 In many cases, getting reports with full headers from various 670 recipients of a spam can help locate the source. In extreme cases of 671 header forgery, only examination of logs on multiple systems can 672 trace the source of a message. 674 With only one message in hand, one has to make an educated guess as 675 to the source. The following are only rough guidelines. 677 In the case of mail messages, "Received:" headers added by systems 678 under control of the destination organization are most likely to be 679 reliable. You can't trust what the source domain calls itself, but 680 you can usually use the source IP address since that is determined by 681 the destination domain's server. 683 In naive mail forgeries, the "Message-ID:" header may show the first 684 SMTP server to handle the message and/or the "Received:" headers may 685 all be accurate, but neither can be relied on. Be especially wary 686 when the Received: headers have other headers intermixed. Normally, 687 Received: headers are all together in a block, and when split up, one 688 or the other blocks is probably forged. 690 In the case of news messages, some part of the Path: header may be a 691 forgery; only reports from multiple sites can make this clear. In 692 naive news forgeries, the "NNTP-Posting-Host:" header shows the 693 actual source, but this can be forged too. 695 If a spam message advertises an Internet server like a WWW site, that 696 server must be connected to the network to be usable. Therefore that 697 address can be traced. It is appropriate to complain to the ISP 698 hosting a web site advertised in a SPAM, even if the origin of the 699 spam seems to be elsewhere. Be aware that the spam could be an 700 attack on the advertised site; the perpetrator knows the site will be 701 deluged with complaints and their reputation will be damaged. Any 702 spam with an electronic address in it is suspect because most 703 spammers know they're unwelcome and won't make themselves accessible. 705 Here is an example mail header: 707 ---- 708 From friendlymail@209.214.12.258.com Thu Feb 26 20:32:47 1998 709 Received: from clio.sc.intel.com by Ludwig.sc.intel.com (4.1/SMI-4.1) 710 id AA05377; Thu, 26 Feb 98 20:32:46 PST 711 Received: from 209.214.12.258.com (209.214.12.258.com [208.26.102.16]) 712 by clio.sc.intel.com (8.8.6/8.8.5) with ESMTP id UAA29637 713 for ; Thu, 26 Feb 1998 20:33:30 -0800 (PST) 714 Received: ok 715 X-Sender: promo1@gotosportsbook.com 716 X-Advertisement: Click here to be removed. 717 Date: Thu, 26 Feb 1998 23:23:03 -0500 718 From: Sent By 719 Reply-To: Sent By 720 To: friend@bulkmailer 721 Subject: Ad: FREE $50 in Sportsbook & Casino 722 X-Mailer: AK-Mail 3.0b [eng] (unregistered) 723 Mime-Version: 1.0 724 Content-Type: text/plain; charset=us-ascii 725 Content-Transfer-Encoding: 7bit 726 Sender: friendlymail@aqua.258.com 727 Message-Id: 728 Status: R 729 ---- 731 Doing a traceroute on an IP address or DNS address will show what 732 domains provide IP connectivity from you to that address. 734 Using whois and nslookup, one can try to determine who is 735 administratively responsible for a domain. 737 In simple cases, a user of a responsible site may be exploiting an 738 account or a weakness in dial-up security; in those cases a complaint 739 to a single site may be sufficient. However, it may be appropriate to 740 complain to more than one domain, especially when it looks like the 741 spammers run their own system. 743 If you look at the traceroute to an address, you will normally see a 744 series of domains between you and that address, with one or more 745 wide-area/national Internet Service Providers in the middle and 746 "smaller" networks/domains on either end. It may be appropriate to 747 complain to the domains nearer the source, up to and including the 748 closest wide-area ISP. However, this is a judgement call. 750 If an intermediate site appears to be a known, responsible domain, 751 stopping your complaints at this point makes sense. 753 Authors' Information 755 Sally Hambridge 756 Intel Corp, SC11-321 757 2200 Mission College blvd 758 Santa Clara, CA 95052 759 sallyh@ludwig.sc.intel.com 761 Albert Lunde 762 Northwestern University 763 2129 Campus Drive North 764 Evanston, IL 60208 765 Albert-Lunde@nwu.edu