Internet-Draft Intel Corp.
draft-ietf-run-spew-01.txt Albert Lunde
Expires September, 1997 Northwestern University
DON'T SPEW
A Set of Guidelines for Mass Unsolicited
Mailings and Postings (Spam*)
Abstract
This document provides explains why mass unsolicited electronic mail
messages are not useful in the Internetworking community. It gives a
set of guidelines for dealing with unsolicited mail for users, for
system administrators, news administrators, and mailing list
managers. It also makes suggestions Internet Service Providers might
follow.
Status of This Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. Comments on this draft should
be sent to ietf-run@mailbag.intel.com.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
1. Introduction
The Internet's origins in the Research and Education communities
played an important role in the foundation and formation of Internet
culture. This culture defined rules for network etiquette
(netiquette) and communication based on the Internet's being
relatively off-limits to commercial enterprise.
Hambridge, Lunde Expires: 15Jan98 [Page 1]
Internet Draft Don't Spew July 1997
As we know, this all changed when US Government was no longer the
primary funding body for the US Internet, when the Internet truly
went global, and when all commercial enterprises were allowed to
obtain Fully Qualified Domain Names. Internet culture had become
deeply embedded in the protocols the network used. Although the
social context has changed, the technical limits of the Internet
protocols still require a person to enforce certain limits on
resource usage for the 'Net to function effectively. Strong
authentication was not built into the News and Mail protocols. There
was no end-to-end cost accounting and/or cost recovery. Bandwidth is
shared among all traffic without resource reservation (although this
is changing).
Unfortunately for all of us, the culture so carefully nurtured
through the early years of the Internet was not fully transferred to
all those new entities hooking into the bandwidth. Many of those
entities believe they have found a paradise of thousands of potential
customers each of whom is desparate to learn about stunning new
business opportunities. Alternatively, some of the new netizens
believe all people should at least hear about the one true religion
or political party or process.
While there may be thousands of folks desparate for any potential
message, mass mailings or Netnews postings are not at all appropriate
on the 'Net. This document explains why mass unsolicited email and
Netnews posting (aka spam*) is bad, what to do if you get it, what
webmasters, postmasters, and news admins can do about it, and how an
Internet Service Provider might respond to it.
2. What Is Spam?
The term "spam," as it is used to denote mass unsolicited mailings or
netnews postings, derives from a Monty Python sketch set in a
movie/TV studio cafeteria. During that sketch, the word "spam" takes
over each item offered on the menu until the entire dialogue consists
of nothing but "spam spam spam spam spam spam and spam". This so
closely resembles what happens when mass unsolicited mail and posts
take over mailing lists and netnews groups that the term has been
pushed into common usage in the Internet community.
When unsolicited mail is sent to a mailing list and/or news group it
frequently generates more hate mail to the list or group by people
who do not realize the source of the mail. If the mailing contains
suggestions for removing your name from a mailing list, 10s to 100s
of people will respond to the list with "remove" messages meant for
the originator. So, the original message (spam) creates more unwanted
mail (spam spam spam spam), which generates more unwanted mail (spam
Hambridge, Lunde Expires: 15Jan98 [Page 2]
Internet Draft Don't Spew July 1997
spam spam spam spam spam and spam.) Similar occurances are
perpetuated in newsgroups, but this is held somewhat in check by
"cancelbots" (programs which cancel postings) triggered by mass
posting.
3. Why Mass Mailing Is Bad
In the world of paper mail we're all used to receiving unsolicited
circulars, advertisements, and catalogs. Generally we don't object
to this - we look at what we find of interest, and we discard/recycle
the rest. Why should receiving unsolicited email be any different?
The answer is that the cost model is different. In the paper world,
the cost of mailing is borne by the sender. The sender must pay for
the privilege of creating the ad and the cost of mailing it to the
recipient. In the world of electronic communications, the recipient
bears the majority of the cost. Yes, the sender still has to compose
the message and the sender also has to pay for Internet connectivity.
However, the receipient ALSO has to pay for Internet connectivity and
possibly also connect time charges, so for electronic mailings the
recipient is expected to help share the cost of the mailing.
Of course, this cost model is very popular with those looking for
cheap methods to get their message out. By the same token, it's very
unpopular with people who have to pay for their messages just to find
that their mailbox is full of junk mail. Consider this: if you had
to pay for receiving paper mail would you pay for junk mail?
Frequently spammers indulge in unethical behavior such as using mail
servers which allow mail to be relayed to send huge amounts of
electronic solicitations. Or they forge their headers to make it
look as if the mail orginates from a different domain. These kinds
of people don't care that they're intruding into a personal or
business mailbox nor do they care that they are using other people's
resources without compensating them.
But what about free speech? Doesn't the US Constitution guarantee
the ability to say whatever one likes? First, the U.S. Constitution
is law only in the U.S., and the Internet is global. There are
places your mail will reach where free speech is not a given.
Second, the U.S. Constitution does NOT guarantee one the right to
say whatever one likes. The example of yelling "FIRE" in a crowded
theater comes to mind. In general, the U.S. Constitution refers to
political freedom of speech and not to commercial freedom of speech.
Finally, there are laws which govern other areas of electronic
communication, namely the "junk fax" laws. Although these have yet
to be applied to electronic mail they are still an example of the
Hambridge, Lunde Expires: 15Jan98 [Page 3]
Internet Draft Don't Spew July 1997
"curbing" of "free speech." Free speech does not, in general,
require other people to spend their money and resources to deliver
your message.
The crux of sending large amounts of unsolicited mail and news is not
a legal issue so much as an ethical one. If you are tempted to send
unsolicited "information" ask yourself these questions: "Whose
resources is this using?" "Did they consent in advance?" "What
would happen if everybody (or a very large number of people) did
this?" "How would I feel if 90% of the mail I received was
advertisements for stuff I didn't want?" "How would I feel if 95% of
the mail I received was advertisements for stuff I didn't want?"
"How would I feel if 99% of the mail I received was advertisements
for stuff I didn't want?"
Although hard numbers on the volume and rate of increase of spam are
not easy to find, seat-of-the-pants estimates from the people on the
spam mailing list [1] indicate that unsolicited mail/posts seems to
be following the same path of exponential growth as the Internet as a
whole [2]. This is NOT encouraging, as this kind of increase puts a
strain on servers, connections, routers, and the bandwidth of the
Internet as a whole.
Finally, sending large volumes of unsolicited email or posting
voluminous numbers of Netnews postings is just plain rude. Consider
the following analogy: suppose you discovered a large party going on
in a house on your block. Uninvited, you appear, then join each
group in conversation, force your way in, SHOUT YOUR OPINION of
whatever you happen to be thinking about at the time, drown out all
other conversaion, then scream "discrimination" when folks tell you
you're being rude. To continue the party analogy, if
instead of forcing your way into each group you stood on the
outskirts a while and listened to the conversation. Then you
gradually began to add comments relevant to the discussion. Then you
began to tell people your opinion of the issues they were discussng,
they would probably be less inclined to look badly on your intrusion.
Note that you are still intruding. And that it would still be
considered rude to offer to sell products or services to the guests
even if the products and services were relevant to the discussion.
You are in the wrong venue and you need to find the right one.
Lots of spammers believe that they can be forgiven their behavior by
beginning their messages with an apology, or by personalizing their
messages with the recipient's real name, or by using a number of
ingratiating techniques. But, much like the techniques used by Uriah
Heap in Dicken's _David Copperfield_, these usually have an effect
opposite to the one intended. Poor excuses ("It's not illegal."
"This will be the only message your receive." "This is an ad." "It's
Hambridge, Lunde Expires: 15Jan98 [Page 4]
Internet Draft Don't Spew July 1997
easy to REMOVE yourself from our list.") are still excuses.
Moreover, they are likely to make the recipient MORE aggravated
rather than less aggravated.
4a. ACK! I've Been Spammed - Now What?
It's unpleasant to receive mail which you do not want. It's even
more unpleasant if you're paying for connect time to download it.
And it's really unpleasant to receive mail on topics which you find
offensive. Now that you're good and mad, what's an appropriate
response?
First, you always have the option to delete it and get on with your
life. This is the easiest and safest response. It does not
guarantee you won't get more of the same in the future, but it does
take care of the current problem.
Second, send the mail back to the originator objecting to your being
on the mailing-list. Check the headers carefully to find this
information. Get your local support staff to help you if you do not
know how to do this. Be aware, though, that many folks who develop
these lists take "Please desist" messages and throw them away.
Alternatively, they take these messages and create mailing-lists to
sell to others. Still, it is a way to register your disapproval.
Next, be sure to carbon copy the postmaster of the offending site.
You can do this by sending mail To: Postmaster@offending-site.domain.
Again, many organizations which send unsolicited mail have this
address aliased to go nowhere. But it can't hurt. Good sites are
now using an "abuse" address for people to complain about spam. Send
complaints about unsolicited mail and posts to abuse@offending-
site.domain. When complaining about questionable mail
messages or news postings, be sure to include the full headers; most
mail and news programs don't display the full headers by default.
For email, it is especially important to show the Received: headers;
for Usenet news, the Path: header, as these normally show the route
by which the mail or news was delivered.
Cc your own postmaster if your organization allows this. Your
organization may have the ability to block incoming unwanted mail, so
it doesn't hurt to let your postmaster know you're getting unwanted
mail. This is especially true if the mail is offensive.
If your personal mailer allows you to write rules, write a rule which
sends mail from the originator of the unwanted mail to the trash.
That way, although you still have to pay to download it, you won't
have to read it!
Hambridge, Lunde Expires: 15Jan98 [Page 5]
Internet Draft Don't Spew July 1997
Finally, DO NOT respond by sending back large volumes of unsolicited
mail. Two wrongs do not make a right. Do not become your enemy.
And take it easy on the network.
Check the Appendix for a detailed explanation of tools and
methodology to use when trying to chase down a spammer.
4b. There's a Spam In My Group!
Netnews is also subject to spamming. Here, several factors help to
mitigate against the propagation of spam in news, although they don't
entirely solve the problem. Newsgroups and mailing lists may be
moderated, which means that a moderator approve all mail/posts. If
this is the case, the moderator usually acts as a filter to removed
unwanted and off-topic posts/mail. In Netnews, there are
programs which detect posts which have been sent to multiple groups
or which detect multiple posts from the same source to one group.
These programs cancel the posts. While these work and keep
unsolicited posts down, they are not 100% effective and spam in
newsgroups seems to be growing at an even faster rate than spam in
mail or on mailing lists. After all, it's much easier to post to a
newsgroup for which there are thousands of readers than it is to find
individual email addresses for all those folks. Hence the
development of the "cancelbots" (sometimes called "cancelmoose") for
Netnews groups. Cancelbots are triggered when one message is sent to
a large number of newsgroups or when many small messages are sent
(from one sender) to the same newsgroup. In general, these are tuned
to the "Breidbart Index" [3] which is a somewhat fuzzy measure of the
interactions of the number of posts and number of groups. This is
fuzzy purposefully, so that people will not post a number of messages
just under the index and still "get away with it." Still, spam gets
through; so, what can a concerned netizen do?
If there is a group moderator, make sure s/he knows that off-topic
posts are slipping into the group. If there is no moderator, you
could take the same steps for dealing with news as are recommended
for mail with all the same caveats.
5. Help for Beleaguered Admins
As a system administrator, news administrator, local Postmaster, or
mailing-list administrator, your users will come to you for help in
dealing with unwanted mail and posts. First, find out what your
institution's policy is regarding unwanted/unsolicited mail. It is
possible that it won't do anything for you, but it is also possible
to use it to justify blocking a domain which is sending particularly
Hambridge, Lunde Expires: 15Jan98 [Page 6]
Internet Draft Don't Spew July 1997
offensive mail to your users. If you don't have a clear policy, it
would be really useful to create one. If you are a mailing-list
administrator, make sure your mailing-list charter forbids off-topic
posts. If your internal-only newsgroups are getting spammed from the
outside of your institution, you probably have bigger problems than
just spam.
Make sure that your mail and news transports are configured so that
you don't inadvertantly contribute to the spam problem. Ensure your
mail and news transports are configured to reject messages injected
by parties outside your domain. SMTP source routing
<@relay.host:user@dest.host> is becoming deprecated due to its
overwhelming abuse by spammers. Consider configuring your mail
transport to reject relayed messages (when neither the sender nor the
recipient are within your domain). Consider configuring your
firewall to prohibit SMTP (mail) and NNTP (news) connections from
clients within your domain to outside servers. Ensure that messages
generated within your domain have proper identity information in the
headers, and users cannot forge headers.
If you have the capability (i.e., you are running a mail transfer
agent which allows it) consider blocking well known offending sites
from ever getting mail into your site. However, it is a well-known
problem that offenders create domains more quickly than postmasters
can block them. Also, help your users learn enough about their
mailers so that they can write rules to filter their own mail, or
provide rules and kill files for them to use.
Use well-known Internet tools, such as whois and traceroute to find
which ISP is serving your problem site. Notify the postmaster/abuse
address that they have an offender. Be sure to pass on all header
information in your messages to help them with tracking down the
offender. If they have a policy against using their service to post
unsolicited mail they will need more than just your say-so that there
is a problem. Also, the "originating" site may be a victim of the
offender as well. It's not unknown for those sending this kind of
mail to bounce their mail through dial-up accounts, or off
unprotected mail servers at other sites. Use caution in your
approach to those who look like the offender. News spammers
use similar techniques for sending spam to the groups. They have
been known to forge headers and bounce posts off "open" news machines
and remailers to cover their tracks. During the height of the
infamous David Rhodes "Make Money Fast" posts, it was not unheard of
for students to walk away from terminals which were logged in, and
for sneaky folks to then use their accounts to forge posts, much to
the later embarrassment of both the student and the institution.
Hambridge, Lunde Expires: 15Jan98 [Page 7]
Internet Draft Don't Spew July 1997
Participate in mailing lists and news groups which discuss
unsolicited mail/posts and the problems associated with it.
News.admin.net-abuse.announce is probably the most well-known of
these.
6. What's An ISP To Do
As an ISP, you first and foremost should decide what your stance
against unsolicited mail and posts should be. If you decide not to
tolerate unsolicited mail, write a clear acceptable use policy which
states your position and deliniates consequences for abuse. If you
state that you will not tolerate use of your resource for unsolicited
mail/posts, and that the consequence will be loss of service, you
should be able to cancel offending accounts relatively quickly
(verifying, of course, that the account really IS being mis-used).
If you have downstreaming arrangements with other providers, you
should make sure they are aware of any policy you set. Likewise, you
should be aware of your upstream providers' policies.
Consider limiting access for dialup accounts so they cannot be used
by those who spew. Make sure your mail servers aren't open for mail
to be bounced off them. Make sure your mail transfer agents are the
most up-to-date version (which pass security audits) of the software.
Educate your users about how to react to spew and spewers. Make sure
instructions for writing rules for mailers are clear and available.
Support their efforts to deal with unwanted mail at the local level -
taking some of the burden from your sys admins.
Make sure you have an address for abuse complaints. If complainers
can routinely send mail to "abuse@BigISP.com" and you have someone
assigned to read that mail, workflow will be much smoother. Don't
require people complaining about spam* to use some unique local
address for complaints. Read and use 'postmaster' and 'abuse'.
Finally, write your contracts and terms and conditions in such
language that allows you to suspend service for offenders. Make sure
all your customers sign it before their accounts are activated.
Legally, you may be able to stop spammers and spam relayers, but this
is certainly dependent on the jurisdictions involved. Potentially,
the passing of spam via third party computers, especially if the
headers are forged, could be a criminal action depending on the laws
of the particular jurisdiction(s) involved. If your site is being
used as a spam relay, be sure to contact local and national criminal
law enforcement agencies. Site operators may also want to consider
the bringing of civil actions against the spammer for expropriation
Hambridge, Lunde Expires: 15Jan98 [Page 8]
Internet Draft Don't Spew July 1997
of property, in particular the computer time and network bandwidth.
In addition, when a mailing list is involved, there is a potential
intellectual property rights violation.
6. Security Considerations
Certain actions to stop spamming may cause problems to legitimate
users of the net. There is a risk that filters to stop spamming will
unintentionally stop legitimate mail too. Overloading postmasters
with complaints about spamming may cause trouble to the wrong person,
someone who is not responsible for and cannot do anything to avoid
the spamming activity, or it may cause trouble out of proportion to
the abuse you are complaining about.
Lower levels of network security interact with the ability to trace
spam via logs or message headers. Measures to stop various sorts of
DNS and IP spoofing can make this information mroe reliable.
7. Acknowledgements
Thanks for help from the IETF-RUN working group, and also to all the
spew-fighters. Specific thanks are due to J.D. Falk, whose very
helpful Anti-spam* FAQ proved helpful. Thanks are also due to the
vigilence of Scott Hazen Mueller and Paul Vixie, who run
www.spam.abuse.net/, the Anti-spam* web site. Thanks also to Jacob
Palme, Chip Rosenthal, Karl Auerbach for specific text: Jacob for the
Security Considerations section, Chip for the configuration
suggestions in section 5, Karl for the legal considerations.
8. References
[1] As reported in messages on the spam@zorch.sf.bay.org (private)
mailing list in May, 1997.
[2] Holbrook, J.P.; Reynolds, J.K. "Site Security Handbook; RFC
1244," July 1991. Available via anonymous ftp at
ftp://ds.internic.et/rfc/rfc1244.txt
[3] _Current Spam thresholds and guidelines_. Lewis, Chris and Tim
Skirvan. http:www.uiuc.edu/ph/www/tskirvan/spam.html.
* Spam (R) is a registered trademark of a meat product made by
Hormel.
Hambridge, Lunde Expires: 15Jan98 [Page 9]
Internet Draft Don't Spew July 1997
9. Appendix - How To Track Down Spammers
In a large proportion of spams today, complaining to the postmaster
of the site that is the apparent sender of a message will have little
effect because, either the headers are forged to disguise the source
of the message, or the sender of the message runs their own
system/domain, or both.
As a result, it may be necessary to look carefully at the headers of
a message to see what parts are most reliable, and/or to complain to
the second or third-level Internet providers who provide Internet
service to a problem domain.
In many cases, getting reports with full headers from various
recipients of a spam can help locate the source. In extreme cases of
header forgery, only examination of logs on multiple systems can
trace the source or a message.
With only one message in hand, one has to make an educated guess as
to the source. The following are only rough guidelines.
In the case of mail messages, "Received:" headers added by systems
under control of the destination organization are most likely to be
reliable. You can't trust what the source domain calls itself, but
you can usually use the source IP address since that is determined by
the destination domain's server.
In naive mail forgeries, the "Message-ID:" header may show the first
SMTP server to handle the message and/or the "Received:" headers may
all be accurate, but neither can be relied on.
In the case of news messages, some part of the Path: header may be a
forgery; only reports from multiple sites can make this clear. In
naive news forgeries, the "NNTP-Posting-Host:" header shows the
actual source, but this can be forged too.
If a spam message advertises an Internet server like a WWW site, that
server must be connected to the network to be usable. Therefore that
address can be traced. It is appropriate to complain to the ISP
hosting a web site advertised in a SPAM. Even if the origin of the
spam seems to be elsewhere.
Doing a traceroute on an IP address or DNS address will show what
domains provide IP connectivity from you to that address.
Using whois and nslookup, one can try to determine who is
administratively responsible for a domain.
Hambridge, Lunde Expires: 15Jan98 [Page 10]
Internet Draft Don't Spew July 1997
In simple cases, a user of a responsible site may be exploiting an
account or a weakness in dial-up security; in those cases a complaint
to a single site may be sufficient. However, it may be appropriate to
complaint to more than one domain, especially when it looks like the
spammer runs their own system.
If you look at the traceroute to an address, you will normally see a
series of domains between you and that address, with one or more
wide-area/national Internet Service Providers in the middle and
"smaller" networks/domains on either end. It may be appropriate to
complain to the domains nearer the source, up to and including the
closest wide-area ISP. However, this is a judgement call.
If an intermediate site appears to be a known, responsible domain,
stopping your complaints at this point makes sense.
Hambridge, Lunde Expires: 15Jan98 [Page 11]
Internet Draft Don't Spew July 1997
Authors' Addresses
Sally Hambridge
Intel Corp, SC11-321
2200 Mission College blvd
Santa Clara, CA 95052
sallyh@ludwig.sc.intel.com
Albert Lunde
Northwestern University
2129 Campus Drive North
Evanston, IL 60208
Albert-Lunde@nwu.edu
Hambridge, Lunde Expires: 15Jan98 [Page 12]
