summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2635.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc2635.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc2635.txt')
-rw-r--r--doc/rfc/rfc2635.txt1011
1 files changed, 1011 insertions, 0 deletions
diff --git a/doc/rfc/rfc2635.txt b/doc/rfc/rfc2635.txt
new file mode 100644
index 0000000..e33d271
--- /dev/null
+++ b/doc/rfc/rfc2635.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Network Working Group S. Hambridge
+Request for Comments: 2635 INTEL
+FYI: 35 A. Lunde
+Category: Informational Northwestern University
+ June 1999
+
+
+ DON'T SPEW
+ A Set of Guidelines for Mass Unsolicited
+ Mailings and Postings (spam*)
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (1999). All Rights Reserved.
+
+Abstract
+
+ This document explains why mass unsolicited electronic mail messages
+ are harmful in the Internetworking community. It gives a set of
+ guidelines for dealing with unsolicited mail for users, for system
+ administrators, news administrators, and mailing list managers. It
+ also makes suggestions Internet Service Providers might follow.
+
+1. Introduction
+
+ The Internet's origins in the Research and Education communities
+ played an important role in the foundation and formation of Internet
+ culture. This culture defined rules for network etiquette
+ (netiquette) and communication based on the Internet's being
+ relatively off-limits to commercial enterprise.
+
+ This all changed when U.S. Government was no longer the primary
+ funding body for the U.S. Internet, when the Internet truly went
+ global, and when all commercial enterprises were allowed to join what
+ had been strictly research networks. Internet culture had become
+ deeply embedded in the protocols the network used. Although the
+ social context has changed, the technical limits of the Internet
+ protocols still require a person to enforce certain limits on
+ resource usage for the 'Net to function effectively. Strong
+ authentication was not built into the News and Mail protocols. The
+ only thing that is saving the Internet from congestion collapse is
+ the voluntary inclusion of TCP backoff in almost all of the TCP/IP
+
+
+
+Hambridge & Lunde Informational [Page 1]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ driver code on the Internet. There is no end-to-end cost accounting
+ and/or cost recovery. Bandwidth is shared among all traffic without
+ resource reservation (although this is changing).
+
+ Unfortunately for all of us, the culture so carefully nurtured
+ through the early years of the Internet was not fully transferred to
+ all those new entities hooking into the bandwidth. Many of those
+ entities believe they have found a paradise of thousands of potential
+ customers each of whom is desperate to learn about stunning new
+ business opportunities. Alternatively, some of the new netizens
+ believe all people should at least hear about the one true religion
+ or political party or process. And some of them know that almost no
+ one wants to hear their message but just can't resist how inexpensive
+ the net can be to use. While there may be thousands of folks
+ desperate for any potential message, mass mailings or Netnews
+ postings are not at all appropriate on the 'Net.
+
+ This document explains why mass unsolicited email and Netnews posting
+ (aka spam) is bad, what to do if you get it, what webmasters,
+ postmasters, and news admins can do about it, and how an Internet
+ Service Provider might respond to it.
+
+2. What is Spam*?
+
+ The term "spam" as it is used to denote mass unsolicited mailings or
+ netnews postings is derived from a Monty Python sketch set in a
+ movie/tv studio cafeteria. During that sketch, the word "spam" takes
+ over each item offered on the menu until the entire dialogue consists
+ of nothing but "spam spam spam spam spam spam and spam." This so
+ closely resembles what happens when mass unsolicited mail and posts
+ take over mailing lists and netnews groups that the term has been
+ pushed into common usage in the Internet community.
+
+ When unsolicited mail is sent to a mailing list and/or news group it
+ frequently generates more hate mail to the list or group or apparent
+ sender by people who do not realize the true source of the message.
+ If the mailing contains suggestions for removing your name from a
+ mailing list, 10s to 100s of people will respond to the list with
+ "remove" messages meant for the originator. So, the original message
+ (spam) creates more unwanted mail (spam spam spam spam), which
+ generates more unwanted mail (spam spam spam spam spam spam and
+ spam). Similar occurrences are perpetrated in newsgroups, but this
+ is held somewhat in check by "cancelbots" (programs which cancel
+ postings) triggered by mass posting. Recently, cancelbots have grown
+ less in favor with those administering News servers since the
+ cancelbots are now generating the same amount of traffic as spam.
+ Even News admins are beginning to use filters, demonstrating that
+ spam spam spam spam spam spam and spam is a monumental problem.
+
+
+
+Hambridge & Lunde Informational [Page 2]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+3. Why Mass Mailing is Bad
+
+ In the world of paper mail we're all used to receiving unsolicited
+ circulars, advertisements, and catalogs. Generally we don't object
+ to this - we look at what we find of interest, and we discard/recycle
+ the rest. Why should receiving unsolicited email be any different?
+
+ The answer is that the cost model is different. In the paper world,
+ the cost of mailing is borne by the sender. The sender must pay for
+ the privilege of creating the ad and the cost of mailing it to the
+ recipient. An average paper commercial mailing in the U.S. ends up
+ costing about $1.00 per addressee. In the world of electronic
+ communications, the recipient bears the majority of the cost. Yes,
+ the sender still has to compose the message and the sender has to pay
+ for Internet connectivity. However, the recipient ALSO has to pay
+ for Internet connectivity and possibly also connect time charges and
+ for disk space. For electronic mailings the recipient is expected to
+ help share the cost of the mailing. Bulk Internet mail from the U.S.
+ ends up costing the sender only about 1/100th of a cent per address;
+ or FOUR ORDERS of magnitude LESS than bulk paper mailings!
+
+ Of course, this cost model is very popular with those looking for
+ cheap methods to get their message out. By the same token, it's very
+ unpopular with people who have to pay for their messages just to find
+ that their mailbox is full of junk mail. Neither do they appreciate
+ being forced to spend time learning how to filter out unwanted
+ messages. Consider this: if you had to pay for receiving paper mail
+ would you pay for junk mail?
+
+ Another consideration is that the increase in volume of spam will
+ have an impact on the viability of electronic mail as a
+ communications medium. If, when you went to your postal mail box you
+ found four crates of mail, would you be willing to search through the
+ crates for the one or two pieces of mail which were not advertising?
+ Spam has a tremendous potential to create this scenario in the
+ electronic world.
+
+ Frequently spammers indulge in unethical behavior such as using mail
+ servers which allow mail to be relayed to send huge amounts of
+ electronic solicitations. Or they forge their headers to make it
+ look as if the mail originates from a different domain. These people
+ don't care that they're intruding into a personal or business mailbox
+ nor do they care that they are using other people's resources without
+ compensating them.
+
+ The huge cost difference has other bad effects. Since even a very
+ cheap paper mailing is going to cost tens of (U.S.) cents there is a
+ real incentive to send only to those really likely to be interested.
+
+
+
+Hambridge & Lunde Informational [Page 3]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ So paper bulk mailers frequently pay a premium to get high quality
+ mailing lists, carefully prune out bad addresses and pay for services
+ to update old addresses. Bulk email is so cheap that hardly anyone
+ sending it bothers to do any of this. As a result, the chance that
+ the receiver is actually interested in the mail is very, very, very
+ low.
+
+ As of the date of this document, it is a daily event on the Internet
+ for a mail service to melt-down due to an overload of spam. Every
+ few months this happens to a large/major/regional/
+ national/international service provider resulting in denial of or
+ severe degradation of service to hundreds of thousands of users.
+ Such service degradations usually prompt the providers to spend
+ hundreds of thousands of dollars upgrading their mail service
+ equipment just because of the volume of spam. Service providers pass
+ those costs on to customers.
+
+ Doesn't the U.S. Constitution guarantee the ability to say whatever
+ one likes? First, the U.S. Constitution is law only in the U.S., and
+ the Internet is global. There are places your mail will reach where
+ free speech is not a given. Second, the U.S. Constitution does NOT
+ guarantee one the right to say whatever one likes. In general, the
+ U.S. Constitution refers to political freedom of speech and not to
+ commercial freedom of speech. Finally, and most importantly, the U.S.
+ Constitution DOES NOT guarantee the right to seize the private
+ property of others in order to broadcast your speech. The Internet
+ consists of a vast number of privately owned networks in voluntary
+ cooperation. There are laws which govern other areas of electronic
+ communication, namely the "junk fax" laws. Although these have yet
+ to be applied to electronic mail they are still an example of the
+ "curbing" of "free speech." Free speech does not, in general,
+ require other people to spend their money and resources to deliver or
+ accept your message.
+
+ Most responsible Internet citizens have come to regard unsolicited
+ mail/posts as "theft of service". Since the recipient must pay for
+ the service and for the most part the mail/posts are advertisements
+ of unsolicited "stuff" (products, services, information) those
+ receiving it believe that the practice of making the recipient pay
+ constitutes theft.
+
+ The crux of sending large amounts of unsolicited mail and news is not
+ a legal issue so much as an ethical one. If you are tempted to send
+ unsolicited "information" ask yourself these questions: "Whose
+ resources is this using?" "Did they consent in advance?" "What
+ would happen if everybody (or a very large number of people) did
+ this?" "How would you feel if 90% of the mail you received was
+ advertisements for stuff you didn't want?" "How would you feel if 95%
+
+
+
+Hambridge & Lunde Informational [Page 4]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ of the mail you received was advertisements for stuff you didn't
+ want?" "How would you feel if 99% of the mail you received was
+ advertisements for stuff you didn't want?"
+
+ Although numbers on the volume and rate of increase of spam are not
+ easy to find, seat-of-the-pants estimates from the people on spam
+ discussion mailing lists [1] indicate that unsolicited mail/posts
+ seems to be following the same path of exponential growth as the
+ Internet as a whole [2]. This is NOT encouraging, as this kind of
+ increase puts a strain on servers, connections, routers, and the
+ bandwidth of the Internet as a whole. On a per person basis,
+ unsolicited mail is also on the increase, and individuals also have
+ to bear the increasing cost of increasing numbers of unsolicited and
+ unwanted mail. People interested in hard numbers may want to point
+ their web browsers to
+ http://www.techweb.com/se/directlink.cgi?INW19980504S0003 where
+ Internet Week reports what spam costs.
+
+
+ Finally, sending large volumes of unsolicited email or posting
+ voluminous numbers of Netnews postings is just plain rude. Consider
+ the following analogy: Suppose you discovered a large party going on
+ in a house on your block. Uninvited, you appear, then join each
+ group in conversation, force your way in, SHOUT YOUR OPINION (with a
+ megaphone) of whatever you happen to be thinking about at the time,
+ drown out all other conversation, then scream "discrimination" when
+ folks tell you you're being rude.
+
+ To continue the party analogy, suppose instead of forcing your way
+ into each group you stood on the outskirts a while and listened to
+ the conversation. Then you gradually began to add comments relevant
+ to the discussion. Then you began to tell people your opinion of the
+ issues they were discussing; they would probably be less inclined to
+ look badly on your intrusion. Note that you are still intruding.
+ And that it would still be considered rude to offer to sell products
+ or services to the guests even if the products and services were
+ relevant to the discussion. You are in the wrong venue and you need
+ to find the right one.
+
+ Lots of spammers act as if their behavior can be forgiven by
+ beginning their messages with an apology, or by personalizing their
+ messages with the recipient's real name, or by using a number of
+ ingratiating techniques. But much like the techniques used by Uriah
+ Heep in Dickens' _David Copperfield_, these usually have an effect
+ opposite to the one intended. Poor excuses ("It's not illegal,"
+ "This will be the only message you receive," "This is an ad," "It's
+ easy to REMOVE yourself from our list") are still excuses. Moreover,
+ they are likely to make the recipient MORE aggravated rather than
+
+
+
+Hambridge & Lunde Informational [Page 5]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ less aggravated.
+
+ In particular, there are two very severe problems with believing that
+ a "remove" feature to stop future mail helps: (1) Careful tests have
+ been done with sending remove requests for "virgin" email accounts
+ (that have never been used anywhere else). In over 80% of the cases,
+ this resulted in a deluge of unsolicited email, although usually from
+ other sources than the one the remove was sent to. In other words,
+ if you don't like unsolicited mail, you should think carefully before
+ using a remove feature because the evidence is that it will result in
+ more mail not less. (2) Even if it did work, it would not stop lots
+ of new unsolicited email every day from new businesses that hadn't
+ mailed before.
+
+4a. ACK! I've Been Spammed - Now What?
+
+ It's unpleasant to receive mail which you do not want. It's even
+ more unpleasant if you're paying for connect time to download it.
+ And it's really unpleasant to receive mail on topics which you find
+ offensive. Now that you're good and mad, what's an appropriate
+ response?
+
+ First, you always have the option to delete it and get on with your
+ life. This is the easiest and safest response. It does not
+ guarantee you won't get more of the same in the future, but it does
+ take care of the current problem. Also, if you do not read your mail
+ on a regular basis it is possible that your complaint is much too
+ late to do any good.
+
+ Second, consider strategies that take advantage of screening
+ technology. You might investigate technologies that allow you to
+ filter unwanted mail before you see it. Some software allows you to
+ scan subject lines and delete unwanted messages before you download
+ them. Other programs can be configured to download portions of
+ messages, check them to see if they are advertising (for example) and
+ delete them before the whole message is downloaded.
+
+ Also, your organization or your local Internet Service Provider may
+ have the ability to block unwanted mail at their mail relay machines
+ and thus spare you the hassle of dealing with it at all. It is worth
+ inquiring about this possibility if you are the victim of frequent
+ spam.
+
+ Your personal mailer software may allow you to write rules defining
+ what you do and do not wish to read. If so, write a rule which sends
+ mail from the originator of the unwanted mail to the trash. This
+ will work if one sender or site repeatedly bothers you. You may also
+ consider writing other rules based on other headers if you are sure
+
+
+
+Hambridge & Lunde Informational [Page 6]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ the probability of them being activated for non-spam is low enough.
+ That way, although you may still have to pay to download it, you
+ won't have to read it!
+
+ Third, you may consider sending the mail back to the originator
+ objecting to your being on the mailing-list; however, we recommend
+ against this. First, a lot of spammers disguise who they are and
+ where their mail comes from by forging the mail headers. Unless you
+ are very experienced at reading headers discovering the true origin
+ of the mail will probably prove difficult. Although you can engage
+ your local support staff to help you with this, they may have much
+ higher priorities (such as setting up site-wide filters to prevent
+ spam from entering the site). Second, responding to this email will
+ simply verify your address as valid and make your address more
+ valuable for other (ab)uses (as was mentioned above in Section 3).
+ Third, even if the two previous things do not happen, very probably
+ your mail will be directed to the computer equivalent of a black hole
+ (the bit-bucket).
+
+ As of the writing of this document, there are several pieces of
+ pending legislation in several jurisdictions about the sending of
+ unsolicited mail and also about forging headers. If forging of
+ headers should become illegal, then responding to the sender is less
+ risky and may be useful.
+
+ Certainly we advocate communicating to the originator (as best as you
+ can tell) to let them know you will NOT be buying any products from
+ them as you object to the method they have chosen to conduct their
+ business (aka spam). Most responses through media other than
+ electronic mail (mostly by those who take the time to phone included
+ "800" (free to calling party in the U.S.) phone numbers) have proved
+ somewhat effective. You can also call the business the advertisement
+ is for, ask to speak to someone in authority, and then tell them you
+ will never buy their products or use their services because their
+ advertising mechanism is spam.
+
+ Next, you can carbon copy or forward the questionable mail messages
+ or news postings to your postmaster. You can do this by sending mail
+ "To: Postmaster@your-site.example." Your postmaster should be an
+ expert at reading mail headers and will be able to tell if the
+ originating address is forged. He or she may be able to pinpoint the
+ real culprit and help close down the site. If your postmaster wants
+ to know about unsolicited mail, be sure s/he gets a copy, including
+ headers. You will need to find out the local policy and comply.
+
+
+
+
+
+
+
+Hambridge & Lunde Informational [Page 7]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ *** IMPORTANT ***
+
+ Wherever you send a complaint, be sure to include the full headers
+ (most mail and news programs don't display the full headers by
+ default). For mail it is especially important to show the
+ "Received:" headers. For Usenet news, it is the "Path:" header.
+ These normally show the route by which the mail or news was
+ delivered. Without them, it's impossible to even begin to tell where
+ the message originated. See the appendix for an example of a mail
+ header.
+
+ There is lively and ongoing debate about the validity of changing
+ one's email address in a Web Browser in order to have Netnews posts
+ and email look as if it is originating from some spot other than
+ where it does originate. The reasoning behind this is that web email
+ address harvesters will not be getting a real address when it
+ encounters these. There is reason on both sides of this debate: If
+ you change your address, you will not be as visible to the
+ harvesters, but if you change your address, real people who need to
+ contact you will be cut off as well. Also, if you are using the
+ Internet through an organization such as a company, the company may
+ have policies about "forging" addresses - even your own! Most people
+ agree that the consequences of changing your email address on your
+ browser or even in your mail headers is fairly dangerous and will
+ nearly guarantee your mail goes into a black hole unless you are very
+ sure you know what you are doing.
+
+ Finally, DO NOT respond by sending back large volumes of unsolicited
+ mail. Two wrongs do not make a right; do not become your enemy; and
+ take it easy on the network. While the legal status of spam is
+ uncertain, the legal status (at least in the U.S.) of a "mail bomb"
+ (large numbers and/or sizes of messages to the site with the intent
+ of disabling or injuring the site) is pretty clear: it is criminal.
+
+ There is a web site called "www.abuse.net" which allows you to
+ register, then send your message to the name of the "offending-
+ domain@abuse.net," which will re-mail your message to the best
+ reporting address for the offending domain. The site contains good
+ tips for reporting abuse netnews or email messages. It also has some
+ automated tools that you may download to help you filter your
+ messages. Also check CIAC bulletin I-005 at:
+
+ http://ciac.llnl.gov/ciac/bulletins/i-005c.shtml
+
+ or at:
+
+ http://spam.abuse.net/spam/tools/mailblock.html.
+
+
+
+
+Hambridge & Lunde Informational [Page 8]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ Check the Appendix for a detailed explanation of tools and
+ methodology to use when trying to chase down a spammer.
+
+4b. There's a Spam in My Group!
+
+ Netnews is also subject to spamming. Here several factors help to
+ mitigate against the propagation of spam in news, although they don't
+ entirely solve the problem. Newsgroups and mailing lists may be
+ moderated, which means that a moderator approves all mail/posts. If
+ this is the case, the moderator usually acts as a filter to remove
+ unwanted and off-topic posts/mail.
+
+ In Netnews there are programs which detect posts which have been sent
+ to multiple groups or which detect multiple posts from the same
+ source to one group. These programs cancel the posts. While these
+ work and keep unsolicited posts down, they are not 100% effective and
+ spam in newsgroups seems to be growing at an even faster rate than
+ spam in mail or on mailing lists. After all, it's much easier to
+ post to a newsgroup for which there are thousands of readers than it
+ is to find individual email addresses for all those folks. Hence the
+ development of the "cancelbots" (sometimes called "cancelmoose") for
+ Netnews groups. Cancelbots are triggered when one message is sent to
+ a large number of newsgroups or when many small messages are sent
+ (from one sender) to the same newsgroup. In general these are tuned
+ to the "Breidbart Index" [3] which is a somewhat fuzzy measure of the
+ interactions of the number of posts and number of groups. This is
+ fuzzy purposefully, so that people will not post a number of messages
+ just under the index and still "get away with it." And as noted
+ above, the cancel messages have reached such a volume now that a lot
+ of News administrators are beginning to write filters rather than
+ send cancels. Still spam gets through, so what can a concerned
+ netizen do?
+
+ If there is a group moderator, make sure s/he knows that off-topic
+ posts are slipping into the group. If there is no moderator, you
+ could take the same steps for dealing with news as are recommended
+ for mail with all the same caveats.
+
+ A reasonable printed reference one might obtain has been published by
+ O'Reilly and Associates, _Stopping Spam_, by Alan Schwartz and Simson
+ Garfinkel [4]. This book also has interesting histories of spammers
+ such as Cantor and Siegel, and Jeff Slaton. It gives fairly clear
+ instructions for filtering mail and news.
+
+
+
+
+
+
+
+
+Hambridge & Lunde Informational [Page 9]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+5. Help for Beleaguered Admins
+
+ As a system administrator, news administrator, local Postmaster, or
+ mailing-list administrator, your users will come to you for help in
+ dealing with unwanted mail and posts. First, find out what your
+ institution's policy is regarding unwanted/unsolicited mail. It is
+ possible that it won't do anything for you, but it is also possible
+ to use it to justify blocking a domain which is sending particularly
+ offensive mail to your users. If you don't have a clear policy, it
+ would be really useful to create one. If you are a mailing-list
+ administrator, make sure your mailing-list charter forbids off-topic
+ posts. If your internal-only newsgroups are getting spammed from the
+ outside of your institution, you probably have bigger security
+ problems than just spam.
+
+ Make sure that your mail and news transports are configured to reject
+ messages injected by parties outside your domain. Recently
+ misconfigured Netnews servers have become subject to hijacking by
+ spammers. SMTP source routing <@relay.host:user@dest.host> is
+ becoming deprecated due to its overwhelming abuse by spammers. You
+ should configure your mail transport to reject relayed messages (when
+ neither the sender nor the recipient are within your domain). Check:
+
+ http://www.sendmail.org/
+
+ under the "Anti-Spam" heading.
+
+ If you run a firewall at your site, it can be configured in ways to
+ discourage spam. For example, if your firewall is a gateway host
+ that itself contains an NNTP server, ensure that it is configured so
+ it does not allow access from external sites except your news feeds.
+ If your firewall acts as a proxy for an external news-server, ensure
+ that it does not accept NNTP connections other than from your
+ internal network. Both these potential holes have recently been
+ exploited by spammers. Ensure that email messages generated within
+ your domain have proper identity information in the headers, and that
+ users cannot forge headers. Be sure your headers have all the
+ correct information as stipulated by RFC 822 [5] and RFC 1123 [6].
+
+ If you are running a mailing-list, allowing postings only by
+ subscribers means a spammer would actually have to join your list
+ before sending spam messages, which is unlikely. Make sure your
+ charter forbids any off-topic posts. There is another spam-related
+ problem with mailing-lists which is that spammers like to retaliate
+ on those who work against them by mass-subscribing their enemies to
+ mailing-lists. Your mailing-list software should require
+ confirmation of the subscription, and only then should the address be
+ subscribed.
+
+
+
+Hambridge & Lunde Informational [Page 10]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ It is possible, if you are running a mail transfer agent that allows
+ it, to block persistant offending sites from ever getting mail into
+ your site. However, careful consideration should be taken before
+ taking that step. For example, be careful not to block out sites for
+ which you run MX records! In the long run, it may be most useful to
+
+ help your users learn enough about their mailers so that they can
+ write rules to filter their own mail, or provide rules and kill files
+ for them to use, if they so choose.
+
+ There is information about how to configure sendmail available at
+ "www.sendmail.org." Help is also available at "spam.abuse.net."
+
+ Another good strategy is to use Internet tools such as whois and
+ traceroute to find which ISP is serving your problem site. Notify
+ the postmaster or abuse (abuse@offending-domain.example) address that
+ they have an offender. Be sure to pass on all header information in
+ your messages to help them with tracking down the offender. If they
+ have a policy against using their service to post unsolicited mail
+ they will need more than just your say-so that there is a problem.
+ Also, the "originating" site may be a victim of the offender as well.
+ It's not unknown for those sending this kind of mail to bounce their
+ mail through dial-up accounts, or off unprotected mail servers at
+ other sites. Use caution and courtesy in your approach to those who
+ look like the offender.
+
+ News spammers use similar techniques for sending spam to the groups.
+ They have been known to forge headers and bounce posts off "open"
+ news machines and remailers to cover their tracks. During the height
+ of the infamous David Rhodes "Make Money Fast" posts, it was not
+ unheard of for students to walk away from terminals which were logged
+ in, and for sneaky folks to then use their accounts to forge posts,
+ much to the later embarrassment of both the student and the
+ institution.
+
+ One way to lessen problems is to avoid using mail-to URLs on your web
+ pages. They allow email addresses to be easily harvested by those
+ institutions grabbing email addresses off the web. If you need to
+ have an email address prevalent on a web page, consider using a cgi
+ script to generate the mailto address.
+
+ Participate in mailing lists and news groups which discuss
+ unsolicited mail/posts and the problems associated with it.
+ News.admin.net-abuse.misc is probably the most well-known of these.
+
+
+
+
+
+
+
+Hambridge & Lunde Informational [Page 11]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+6. What's an ISP to Do
+
+ As an Internet Service Provider, you first and foremost should decide
+ what your stance against unsolicited mail and posts will be. If you
+ decide not to tolerate unsolicited mail, write a clear Acceptable Use
+ Policy which states your position and delineates consequences for
+ abuse. If you state that you will not tolerate use of your resource
+ for unsolicited mail/posts, and that the consequence will be loss of
+ service, you should be able to cancel offending accounts relatively
+ quickly (after verifying that the account really IS being mis-used).
+ If you have downstreaming arrangements with other providers, you
+ should make sure they are aware of any policy you set. Likewise, you
+ should be aware of your upstream providers' policies.
+
+ Consider limiting access for dialup accounts so they cannot be used
+ by those who spew. Make sure your mail servers aren't open for mail
+ to be bounced off them (except for legitimate users). Make sure your
+ mail transfer agents are the most up-to-date version (which pass
+ security audits) of the software.
+
+ Educate your users about how to react to spew and spewers. Make sure
+ instructions for writing rules for mailers are clear and available.
+ Support their efforts to deal with unwanted mail at the local level -
+ taking some of the burden from your system administrators.
+
+ Make sure you have an address for abuse complaints. If complainers
+ can routinely send mail to "abuse@BigISP.example" and you have
+ someone assigned to read that mail, workflow will be much smoother.
+ Don't require people complaining about spam to use some unique local
+ address for complaints. Read and use 'postmaster' and 'abuse'. We
+ recommend adherence to RFC 2142, _Mailbox Names for Common Services,
+ Roles and Functions._ [7].
+
+ Finally, write your contracts and terms and conditions in such
+ language that allows you to suspend service for offenders, and so
+ that you can impose a charge on them for your costs in handling the
+ complaints their abuse generates and/or terminating their account and
+ cleaning up the mess they make. Some large ISPs have found that they
+ can fund much of their abuse prevention staff by imposing such
+ charges. Make sure all your customers sign the agreement before
+ their accounts are activated. There is a list of "good" Acceptable
+ Use Policies and Terms of Service at:
+
+ http://spam.abuse.net/goodsites/index.html.
+
+ Legally, you may be able to stop spammers and spam relayers, but this
+ is certainly dependent on the jurisdictions involved. Potentially,
+ the passing of spam via third party computers, especially if the
+
+
+
+Hambridge & Lunde Informational [Page 12]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ headers are forged, could be a criminal action depending on the laws
+ of the particular jurisdiction(s) involved. If your site is being
+ used as a spam relay, be sure to contact local and national criminal
+ law enforcement agencies. Site operators may also want to consider
+ bringing civil actions against the spammer for expropriation of
+ property, in particular the computer time and network bandwidth. In
+ addition, when a mailing list is involved, there is a potential
+ intellectual property rights violation.
+
+ There are a few law suits in the courts now which claim spammers
+ interfered with and endangered network connectivity. At least one
+ company is attempting to charge spammers for the use of its networks
+ (www.kclink.com/spam/).
+
+7. Security Considerations
+
+ Certain actions to stop spamming may cause problems to legitimate
+ users of the net. There is a risk that filters to stop spamming will
+ unintentionally stop legitimate mail too. Overloading postmasters
+ with complaints about spamming may cause trouble to the wrong person,
+ someone who is not responsible for and cannot do anything to avoid
+ the spamming activity, or it may cause trouble out of proportion to
+ the abuse you are complaining about. Be sure to exercise discretion
+ and good judgment in all these cases. Check your local escalation
+ procedure. The Site Security Handbook [2] can help define an
+ escalation procedure if your site does not have one defined.
+
+ Lower levels of network security interact with the ability to trace
+ spam via logs or message headers. Measures to stop various sorts of
+ DNS and IP spoofing can make this information more reliable.
+ Spammers can and will exploit obvious security weaknesses, especially
+ in NNTP servers. This can lead to denial of service, either from the
+ sheer volume of posts, or as a result of action taken by upstream
+ providers.
+
+8. Acknowledgments
+
+ Thanks for help from the IETF-RUN working group, and also to all the
+ spew-fighters. Specific thanks are due to J.D. Falk, whose very
+ helpful Anti-spam FAQ proved valuable. Thanks are also due to the
+ vigilance of Scott Hazen Mueller and Paul Vixie, who run
+ spam.abuse.net, the Anti-spam web site. Thanks also to Jacob Palme,
+ Chip Rosenthal, Karl Auerbach for specific text: Jacob for the
+ Security Considerations section, Chip for the configuration
+ suggestions in section 5, Karl for the legal considerations. Andrew
+ Gierth was very helpful with Netnews spam considerations. And thanks
+ to Gary Malkin for proofing and formatting.
+
+
+
+
+Hambridge & Lunde Informational [Page 13]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+9. References
+
+ [1] See for example spam-l@peach.ease.lsoft.com
+
+ [2] Fraser, B., "Site Security Handbook", FYI 8, RFC 2196, September
+ 1997.
+
+ [3] "Current Spam thresholds and guidelines," Lewis, Chris and Tim
+ Skirvin, http://www.killfile.org/~tskirvin/faqs/spam.html.
+
+ [4] Schwartz, Alan and Simson Garfinkel, "Stopping Spam," O'Reilly
+ and Associates, 1998.
+
+ [5] Crocker, D., "Standard for the format of ARPA Internet text
+ messages", STD 11, RFC 822, August 1982.
+
+ [6] Braden, R., "Requirements for Internet hosts - application and
+ support", STD 3, RFC 1123, October 1989.
+
+ [7] Crocker, D., "Mailbox Names for Common Services, Roles and
+ Functions", RFC 2142, May 1997.
+
+ * Spam is a name of a meat product made by Hormel. "spam" (no
+ capitalization) is routinely used to describe unsolicited bulk
+ email and netnews posts.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hambridge & Lunde Informational [Page 14]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+10. Appendix - How to Track Down Spammers
+
+ In a large proportion of spams today, complaining to the postmaster
+ of the site that is the apparent sender of a message will have little
+ effect because either the headers are forged to disguise the source
+ of the message, or the senders of the message run their own
+ system/domain, or both.
+
+ As a result, it may be necessary to look carefully at the headers of
+ a message to see what parts are most reliable, and/or to complain to
+ the second or third-level Internet providers who provide Internet
+ service to a problem domain.
+
+ In many cases, getting reports with full headers from various
+ recipients of a spam can help locate the source. In extreme cases of
+ header forgery, only examination of logs on multiple systems can
+ trace the source of a message.
+
+ With only one message in hand, one has to make an educated guess as
+ to the source. The following are only rough guidelines.
+
+ In the case of mail messages, "Received:" headers added by systems
+ under control of the destination organization are most likely to be
+ reliable. You can't trust what the source domain calls itself, but
+ you can usually use the source IP address since that is determined by
+ the destination domain's server.
+
+ In naive mail forgeries, the "Message-ID:" header may show the first
+ SMTP server to handle the message and/or the "Received:" headers may
+ all be accurate, but neither can be relied on. Be especially wary
+ when the Received: headers have other headers intermixed. Normally,
+ Received: headers are all together in a block, and when split up, one
+ or the other blocks is probably forged.
+
+ In the case of news messages, some part of the Path: header may be a
+ forgery; only reports from multiple sites can make this clear. In
+ naive news forgeries, the "NNTP-Posting-Host:" header shows the
+ actual source, but this can be forged too.
+
+ If a spam message advertises an Internet server like a WWW site, that
+ server must be connected to the network to be usable. Therefore that
+ address can be traced. It is appropriate to complain to the ISP
+ hosting a web site advertised in a SPAM, even if the origin of the
+ spam seems to be elsewhere. Be aware that the spam could be an
+ attack on the advertised site; the perpetrator knows the site will be
+ deluged with complaints and their reputation will be damaged. Any
+ spam with an electronic address in it is suspect because most
+ spammers know they're unwelcome and won't make themselves accessible.
+
+
+
+Hambridge & Lunde Informational [Page 15]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+ Here is an example mail header:
+
+----
+From friendlymail@209.214.12.258.com Thu Feb 26 20:32:47 1998
+Received: from clio.sc.intel.com by Ludwig.sc.intel.com (4.1/SMI-4.1)
+ id AA05377; Thu, 26 Feb 98 20:32:46 PST
+Received: from 209.214.12.258.com (209.214.12.258.com [208.26.102.16])
+ by clio.sc.intel.com (8.8.6/8.8.5) with ESMTP id UAA29637
+ for <sallyh@intel.com>; Thu, 26 Feb 1998 20:33:30 -0800 (PST)
+Received: ok
+X-Sender: promo1@gotosportsbook.com
+X-Advertisement: <a href="http://www.opt-out.com">
+Click here to be removed.
+Date: Thu, 26 Feb 1998 23:23:03 -0500
+From: Sent By <promo1@gotosportsbook.com>
+Reply-To: Sent By <promo1@gotosportsbook.com>
+To: friend@bulkmailer
+Subject: Ad: FREE $50 in Sportsbook & Casino
+X-Mailer: AK-Mail 3.0b [eng] (unregistered)
+Mime-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+Sender: friendlymail@aqua.258.com
+Message-Id: <bulk.6508.19980226232535@aqua.258.com>
+Status: R
+----
+
+ Doing a traceroute on an IP address or DNS address will show what
+ domains provide IP connectivity from you to that address.
+
+ Using whois and nslookup, one can try to determine who is
+ administratively responsible for a domain.
+
+ In simple cases, a user of a responsible site may be exploiting an
+ account or a weakness in dial-up security; in those cases a complaint
+ to a single site may be sufficient. However, it may be appropriate to
+ complain to more than one domain, especially when it looks like the
+ spammers run their own system.
+
+ If you look at the traceroute to an address, you will normally see a
+ series of domains between you and that address, with one or more
+ wide-area/national Internet Service Providers in the middle and
+ "smaller" networks/domains on either end. It may be appropriate to
+ complain to the domains nearer the source, up to and including the
+ closest wide-area ISP. However, this is a judgement call.
+
+ If an intermediate site appears to be a known, responsible domain,
+ stopping your complaints at this point makes sense.
+
+
+
+Hambridge & Lunde Informational [Page 16]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+Authors' Information
+
+ Sally Hambridge
+ Intel Corp, SC11-321
+ 2200 Mission College blvd
+ Santa Clara, CA 95052
+
+ EMail: sallyh@ludwig.sc.intel.com
+
+
+ Albert Lunde
+ Northwestern University
+ Suite 1400
+ 1603 Orrington Avenue
+ Evanston, IL 60201
+
+ EMail: Albert-Lunde@nwu.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hambridge & Lunde Informational [Page 17]
+
+RFC 2635 DON'T SPEW June 1999
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (1999). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hambridge & Lunde Informational [Page 18]
+