Spew Draft

[Sally Hambridge <sallyh@LUDWIG.SC.INTEL.COM>]

IETF-Runners:  Here's the draft with IESG comments
implemented.  Section 4a is much shorter with all of
the "postmaster" stuff deleted except sending to
your own postmaster.

I did add a reference to the _Stopping Spam_ book, since
I grabbed a copy, ran through it, and it is up to the
O'Reilly standard.

You've all been fairly quiet lately, so please do take
a look at this soon.

If there are no comments by Nov 9, I'd like April to
take it back to the IESG.

Thanks,
Sally
sallyh@ludwig.sc.intel.com

IETF RUN Working Group                        Sally Hambridge
Internet-Draft                                Intel Corp. SC11-321
draft-ietf-run-spew-07.txt                    2200 Mission College Blvd
Expires April, 1999                           Santa Clara, CA 95070

                                              Albert Lunde
                                              Northwestern University
                                              2129 Campus Drive North
                                              Evanston, IL 60208

                                DON'T SPEW
                 A Set of Guidelines for Mass Unsolicited
                         Mailings and Postings (spam*)

Status of This Memo

     This document is an Internet-Draft.  Internet-Drafts are working
     documents of the Internet Engineering Task Force (IETF), its
     areas, and its working groups.  Note that other groups may also
     distribute working documents as Internet-Drafts. Comments on this
     draft should be sent to ietf-run@mailbag.intel.com.

 Internet-Drafts are draft documents valid for a maximum of six
     months and may be updated, replaced, or obsoleted by other
     documents at any time.  It is inappropriate to use Internet-
     Drafts as reference material or to cite them other than as
     ``work in progress.''

 To learn the current status of any Internet-Draft, please check
     the ``1id-abstracts.txt'' listing contained in the Internet-
     Drafts Shadow Directories on ftp.is.co.za (Africa),
     nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
     ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast).

Abstract

This document explains why mass unsolicited electronic mail
messages are harmful in the Internetworking community.  It gives
a set of guidelines for dealing with unsolicited mail for users,
for system administrators, news administrators, and mailing list
managers.  It also makes suggestions Internet Service Providers
might follow.

1. Introduction

        The Internet's origins in the Research and Education
communities played an important role in the foundation and formation
of Internet culture.  This culture defined rules for network etiquette
(netiquette) and communication based on the Internet's being relatively
off-limits to commercial enterprise.

        This all changed when U.S. Government was no longer
the primary funding body for the U.S. Internet, when the Internet truly
went global, and when all commercial enterprises were allowed to
join what had been strictly research networks.  Internet culture had
become deeply embedded in the protocols the network used.  Although
the social context has changed, the technical limits of the
Internet protocols still require a person to enforce certain
limits on resource usage for the 'Net to function effectively.
Strong authentication was not built into the News and Mail protocols.
The only thing that is saving the Internet from congestion collapse
is the voluntary inclusion of TCP backoff in almost all of the
TCP/IP driver code on the Internet.  There is no end-to-end cost
accounting and/or cost recovery.  Bandwidth is shared among all traffic
without resource reservation (although this is changing).

        Unfortunately for all of us, the culture so carefully nurtured
through the early years of the Internet was not fully transferred to all
those new entities hooking into the bandwidth.  Many of those entities
believe they have found a paradise of thousands of potential customers
each of whom is desperate to learn about stunning new business
opportunities.  Alternatively, some of the new netizens believe
all people should at least hear about the one true religion or
political party or process.  And some of them know that almost
no one wants to hear their message but just can't resist how
inexpensive the net can be to use.  While there may be thousands of
folks desperate for any potential message, mass mailings or Netnews
postings are not at all appropriate on the 'Net.

        This document explains why mass unsolicited email and
Netnews posting (aka spam) is bad, what to do if you get it,
what webmasters, postmasters, and news admins can do about it,
and how an Internet Service Provider might respond to it.

2. WHAT IS SPAM*?

        The term "spam" as it is used to denote mass unsolicited
mailings or netnews postings is derived from a Monty Python sketch
set in a movie/tv studio cafeteria.  During that sketch, the word
"spam" takes over each item offered on the menu until the entire
dialogue consists of nothing but "spam spam spam spam spam spam
and spam".  This so closely resembles what happens when mass
unsolicited mail and posts take over mailing lists and netnews groups
that the term has been pushed into common usage in the Internet
community.

        When unsolicited mail is sent to a mailing list and/or
news group it frequently generates more hate mail to the list
or group or apparent sender by people who do not realize the
true source of the message.  If the mailing contains suggestions
for removing your name from a mailing list, 10s to 100s of people
will respond to the list with "remove" messages meant for the
originator. So, the original message (spam) creates more unwanted
mail (spam spam spam spam), which generates more unwanted mail
(spam spam spam spam spam spam and spam.)  Similar occurrences are
perpetrated in newsgroups, but this is held somewhat in check by
"cancelbots" (programs which cancel postings) triggered by mass
posting.  Recently, cancelbots have grown less in favor with those
administering News servers since the cancelbots are now generating the
same amount of traffic as spam.  Even News admins are beginning to use
filters, demonstrating that spam spam spam spam spam spam and spam
is a monumental problem.

3. WHY MASS MAILING IS BAD

        In the world of paper mail we're all used to receiving
unsolicited circulars, advertisements, and catalogs.  Generally
we don't object to this - we look at what we find of interest, and
we discard/recycle the rest.  Why should receiving unsolicited
email be any different?

        The answer is that the cost model is different.  In the
paper world, the cost of mailing is borne by the sender.  The sender
must pay for the privilege of creating the ad and the cost of mailing
it to the recipient.  An average paper commercial mailing in the U.S.
ends up costing about $1.00 per addressee.  In the world of electronic
communications, the recipient bears the majority of the cost.  Yes, the
sender still has to compose the message and the sender has to pay
for Internet connectivity.  However, the recipient ALSO has to pay for
Internet connectivity and possibly also connect time charges and for
disk space. For electronic mailings the recipient is expected to
help share the cost of the mailing.  Bulk Internet mail from the U.S.
ends up costing the sender only about 1/100th of a cent per address;
or FOUR ORDERS of magnitude LESS than bulk paper mailings!

        Of course, this cost model is very popular with those looking
for cheap methods to get their message out.  By the same token, it's
very unpopular with people who have to pay for their messages just to
find that their mailbox is full of junk mail.  Consider this: if you
had to pay for receiving paper mail would you pay for junk mail?

        Another consideration is that the increase in volume of
spam will have an impact on the viability of electronic mail as
a communications medium.  If, when you went to your postal mail box
you found four crates of mail, would you be willing to search through
the crates for the one or two pieces of mail which were not advertising?
Spam has a tremendous potential to create this scenario in the electronic
world.

        Frequently spammers indulge in unethical behavior such as
using mail servers which allow mail to be relayed to send huge amounts
of electronic solicitations.  Or they forge their headers to make it
look as if the mail originates from a different domain.   These
people don't care that they're intruding into a personal
or business mailbox nor do they care that they are using other
people's resources without compensating them.

        The huge cost difference has other bad effects.  Since even
a very cheap paper mailing is going to cost tens of (U.S.) cents there
is a real incentive to send only to those really likely to be
interested.  So paper bulk mailers frequently pay a premium to get
high quality mailing lists, carefully prune out bad addresses and pay
for services to update old addresses.  Bulk email is so cheap that
hardly anyone sending it bothers to do any of this.  As a result, the
chance that the receiver is actually interested in the mail is very, very,
very low.

        As of the date of this document, it is a daily event on the
Internet for a mail service to melt-down due to an overload of
spam.  Every few months this happens to a large/major/regional/
national/international service provider resulting in denial of
or severe degradation of service to hundreds of thousands of users.
Such service degradations usually prompt the providers to spend
hundreds of thousands of dollars upgrading their mail service equipment
just because of the volume of spam.  Service providers pass those costs
on to customers.

        Doesn't the U.S. Constitution guarantee the ability to
say whatever one likes?  First, the U.S. Constitution is law only
in the U.S., and the Internet is global.  There are places your
mail will reach where free speech is not a given.  Second, the
U.S. Constitution does NOT guarantee one the right to say whatever
one likes.  In general, the U.S. Constitution refers to political
freedom of speech and not to commercial freedom of speech. Finally,
and most importantly, the U.S. Constitution DOES NOT guarantee the
right to seize the private property of others in order to broadcast
your speech.  The Internet consists of a vast number of privately
owned networks in voluntary cooperation.  There are laws which govern
other areas of electronic communication, namely the "junk fax" laws.
Although these have yet to be applied to electronic mail they are still
an example of the "curbing" of "free speech."  Free speech does not,
in general, require other people to spend their money and resources to
deliver or accept your message.

        Most responsible Internet citizens have come to
regard unsolicited mail/posts as "theft of service".  Since the
recipient must pay for the service and for the most part the
mail/posts are advertisements of unsolicited "stuff" (products,
services, information) those receiving it believe that the
practice of making the recipient pay constitutes theft.

        The crux of sending large amounts of unsolicited mail and
news is not a legal issue so much as an ethical one.  If you are
tempted to send unsolicited "information" ask yourself these
questions:  "Whose resources is this using?"  "Did they consent
in advance?"  "What would happen if everybody (or a very large
number of people) did this?" "How would you feel if 90% of the mail
you received was advertisements for stuff you didn't want?" "How would
you feel if 95% of the mail you received was advertisements for stuff
you didn't want?"  "How would you feel if 99% of the mail you received
was advertisements for stuff you didn't want?"

        Although hard numbers on the volume and rate of increase
of spam are not easy to find, seat-of-the-pants estimates from the
people on spam discussion mailing lists [1] indicate that unsolicited
mail/posts seems to be following the same path of exponential growth as
the Internet as a whole [2].  This is NOT encouraging, as this
kind of increase puts a strain on servers, connections, routers,
and the bandwidth of the Internet as a whole.  On a per person
basis, unsolicited mail is also on the increase, and individuals
also have to bear the increasing cost of increasing numbers of
unsolicited and unwanted mail.  People interested in hard numbers
may want to point their web browsers to www.junkproof.com where
the webmaster there lists the number of spam messages he has
filtered away from his users.

        Finally, sending large volumes of unsolicited email or posting
voluminous numbers of Netnews postings is just plain rude.  Consider
the following analogy:  Suppose you discovered a large party going on
in a house on your block.  Uninvited, you appear, then join each group
in conversation, force your way in, SHOUT YOUR OPINION (with a megaphone)
of whatever you happen to be thinking about at the time, drown out all
other conversation, then scream "discrimination" when folks tell you
you're being rude.

        To continue the party analogy, suppose instead of forcing
your way into each group you stood on the outskirts a while and
listened to the conversation.  Then you gradually began to add
comments relevant to the discussion.  Then you began to tell
people your opinion of the issues they were discussing; they
would probably be less inclined to look badly on your intrusion.
Note that you are still intruding.  And that it would still be
considered rude to offer to sell products or services to the
guests even if the products and services were relevant to the
discussion.  You are in the wrong venue and you need to find
the right one.

        Lots of spammers act as if their behavior can be
forgiven by beginning their messages with an apology, or by
personalizing their messages with the recipient's real name, or
by using a number of ingratiating techniques.  But much like the
techniques used by Uriah Heep in Dickens' _David Copperfield_, these
usually have an effect opposite to the one intended.  Poor excuses
("It's not illegal" "This will be the only message you receive"
"This is an ad" "It's easy to REMOVE yourself from our list") are
still excuses. Moreover, they are likely to make the recipient MORE
aggravated rather than less aggravated.

        In particular, there are two very severe problems with believing
that a "remove" feature to stop future mail helps:  (1) Careful tests
have been done with sending remove requests for "virgin" email accounts
(that have never been used anywhere else).  In over 80% of the cases, this
resulted in a deluge of unsolicited email, although usually from other
sources than the one the remove was sent to.  In other words, if you
don't like unsolicited mail, you should think carefully before using
a remove feature because the evidence is that it will result in more
mail not less.  (2) Even if it did work, it would not stop lots
of new unsolicited email every day from new businesses that hadn't
mailed before.

4a. ACK!  I'VE BEEN SPAMMED - NOW WHAT?

        It's unpleasant to receive mail which you do not want.  It's
even more unpleasant if you're paying for connect time to download it.
And it's really unpleasant to receive mail on topics which you find
offensive.  Now that you're good and mad, what's an appropriate
response?

        First, you always have the option to delete it and get on with
your life.  This is the easiest and safest response.  It does not
guarantee you won't get more of the same in the future, but it does
take care of the current problem.  Also, if you do not read your
mail on a regular basis it is possible that your complaint is
much too late to do any good.

        Second, you may consider sending the mail back to the originator
objecting to your being on the mailing-list; however, we recommend against
this.  First, a lot of spammers disguise who they are and where their
mail comes from by forging the mail headers.  Unless you are very
experienced at reading headers discovering the true origin of the mail
will probably prove difficult.  Although you can engage your local
support staff to help you with this, they may have much higher priorities
(such as setting up site-wide filters to prevent spam from entering
the site).  Second, responding to this email will simply verify your
address as valid and make your address more valuable for other (ab)uses.
(As was mentioned above in Section 3).  Third, even if the two
previous things do not happen, very probably your mail will be
directed to the computer equivalent of a black hole (the bit-bucket).

        As of the writing of this document, there are several
pieces of pending legislation in several jurisdictions about
the sending of unsolicited mail and also about forging headers.
If forging of headers should become illegal, then responding
to the sender is less risky and may be useful.

        Certainly we advocate communicating to the originator
(as best as you can tell) to let them know you will NOT be buying
any products from them as you object to the method they have chosen
to conduct their business (aka spam).  Most responses through media
other than electronic mail (mostly by those who take the time to
phone included "800" (free to calling party in the U.S.) phone numbers)
have proved somewhat effective.  You can also call the business the
advertisement is for, ask to speak to someone in authority, and
then tell them you will never buy their products or use their
services because their advertising mechanism is spam.

        Next, you can carbon copy or forward the questionable mail messages
or news postings to the your postmaster.  You can do this
by sending mail To:  Postmaster@your-site.example.  Your postmaster
will be an expert at reading mail headers and will be able to tell
if the originating address is forged.  He or she may be able to
pinpoint the real culprit and help close down the site.

                        *** IMPORTANT ***
        Wherever you send a complaint, be sure to include the full
headers.  (Most mail and news programs don't display the full headers
by default.) For mail it is especially important to show the
Received: headers; for Usenet news, the Path: header, as these normally
show the route by which the mail or news was delivered.  Without them,
it's impossible to even begin to tell where the message originated.
See the appendix for an example of a mail header.

        Your own organization or your local Internet Service Provider
may have the ability to block unwanted mail at their mail relay
machines.  If your postmaster wants to know about unsolicited
mail, be sure s/he gets a copy, including headers.  You will need to
find out the local policy and comply.

        If your personal mailer allows you to write rules, write
a rule which sends mail from the originator of the unwanted mail to
the trash.  You may also consider writing other rules based on other
headers if you are sure the probability of then being activated for
non-spam is low enough.  That way, although you still have to pay to
download it, you won't have to read it!

        There is lively and ongoing debate about the validity of
changing one's email address in a Web Browser in order to have
Netnews posts and email look as if it is originating from some
spot other than where it does originate.  The reasoning behind this
is that web email address harvesters will not be getting a real
address when it encounters these.  There is reason on both sides
of this debate:  If you change your address, you will not be as
visible to the harvesters, but if you change your address, real
people who need to contact you will be cut off as well.  Also, if
you are using the Internet through an organization such as a
company, the company may have policies about "forging" addresses -
even your own!  Most people agree that the consequences of changing
your email address on your browser or even in your mail headers
is fairly dangerous and will nearly guarantee your mail goes into
a black hole unless you are very sure you know what you are doing.

        Finally, DO NOT respond by sending back large volumes of
unsolicited mail.  Two wrongs do not make a right; do not become
your enemy; and take it easy on the network.  While the legal status
of spam is uncertain, the legal status (at least in the U.S.) of a
"mail bomb" (large numbers and/or sizes of messages to the site with
the intent of disabling or injuring the site) is pretty clear:
it is criminal.

        There is a web site called www.abuse.net which allows you
to register, then to send your message to the name of the
offending-domain@abuse.net, which will re-mail your message
to be best reporting address for the offending domain.  It also
contains good tips for reporting abuse netnews or email messages.
It also has some automated tools you may download to help you
filter your messages.  Also check CIAC bulletin
I-005 at http://ciac.llnl.gov/ciac/bulletins/i-005c.shtml or at
http://spam.abuse.net/spam/tools/mailblock.html.

        Check the Appendix for a detailed explanation of tools
and methodology to use when trying to chase down a spammer.

4b. THERE'S A SPAM IN MY GROUP!

        Netnews is also subject to spamming.  Here several factors
help to mitigate against the propagation of spam in news,
although they don't entirely solve the problem.  Newsgroups
and mailing lists may be moderated, which means that a moderator
approves all mail/posts.  If this is the case, the moderator
usually acts as a filter to removed unwanted and off-topic
posts/mail.

        In Netnews there are programs which detect posts which
have been sent to multiple groups or which detect multiple posts
from the same source to one group.  These programs cancel the posts.
While these work and keep unsolicited posts down, they are not 100%
effective and spam in newsgroups seems to be growing at an even
faster rate than spam in mail or on mailing lists.  After all, it's
much easier to post to a newsgroup for which there are thousands of
readers than it is to find individual email addresses for all those
folks.  Hence the development of the "cancelbots" (sometimes called
"cancelmoose") for Netnews groups.  Cancelbots are triggered when
one message is sent to a large number of newsgroups or when many
small messages are sent (from one sender) to the same newsgroup.
In general these are tuned to the "Breidbart Index" [3] which is a
somewhat fuzzy measure of the interactions of the number of
posts and number of groups.  This is fuzzy purposefully, so that
people will not post a number of messages just under the index
and still "get away with it."  And as noted above, the cancel
messages have reached such a volume now that a lot of News
administrators are beginning to write filters rather than send
cancels.  Still spam gets through, so what can a concerned netizen
do?

        If there is a group moderator, make sure s/he knows that
off-topic posts are slipping into the group.  If there is no
moderator, you could take the same steps for dealing with news
as are recommended for mail with all the same caveats.

        A reasonable printed reference one might obtain has been
published by O'Reilly and Associates, _Stopping Spam_, by
Alan Schwartz and Simson Garfinkel [4] .  This book also has
interesting histories spammers such as Cantor and Siegel,
and Jeff Slaton.  It gives fairly clear instructions for filtering
mail and news.



5. HELP FOR BELEAGUERED ADMINS

        As a system administrator, news administrator, local Postmaster,
or mailing-list administrator, your users will come to you for help
in dealing with unwanted mail and posts.  First, find out what your
institution's policy is regarding unwanted/unsolicited mail.  It  is
possible that it won't do anything for you, but it is also possible to
use it to justify blocking a domain which is sending particularly
offensive mail to your users.  If you don't have a clear policy,
it would be really useful to create one.  If you are a mailing-list
administrator, make sure your mailing-list charter forbids off-topic
posts. If your internal-only newsgroups are getting spammed from
the outside of your institution, you probably have bigger security
problems than just spam.

        Make sure that your mail and news transports are configured to
reject messages injected by parties outside your domain.
Recently misconfigured Netnews servers have become subject to hijacking
by spammers.  SMTP source routing <@relay.host:user@dest.host>
is becoming deprecated due to its overwhelming abuse by spammers.
You should configure your mail transport to reject relayed messages
(when neither the sender nor the recipient are within your domain).
Check http://www.sendmail.org/ under the "Anti-Spam" heading.
Your firewall should prohibit SMTP (mail) and NNTP (news)
connections from clients within your domain to outside
servers.  If your firewall is a gateway host that itself
contains an NNTP server ensure that it is configured so it
does not allow access from external sites except your news
feeds.  If your firewall acts as a proxy for an external
news-server ensure that it does not accept NNTP connections
other than from your internal network.  Both these potential
holes have recently been exploited by spammers.
Ensure that messages generated within your domain
have proper identity information in the headers, and users
cannot forge headers.   Be sure your headers have all the
correct information as stipulated by RFC 822 [5] and RFC 1123 [6].

        If you are running a mailing-list, be sure to allow
postings by subscribers only.  Make sure your charter forbids
any off-topic posts.  There is another spam-related problem with
mailing-lists which is that spammers like to retaliate on those who
work against them by mass-subscribing their enemies to mailing-lists.
Your mailing-list software should require confirmation of the
subscription, and only then should the address be subscribed.

        If you have the capability (are running a mail transfer agent
which allows it) consider blocking persistant offending sites from
ever getting mail into your site.  Be careful not to block out
sites for which you run MX records!  It is a well-known
problem that offenders create domains more quickly than postmasters
can block them.  Also, help your users learn enough about their
mailers so that they can write rules to filter their own mail, or
provide rules and kill files for them to use.

        There is information about how to "blackhole"
netblocks at maps.vix.com.  There is information about how
to configure sendmail available at www.sendmail.org.  Help on
these problems is also available at spam.abuse.net.

        Use well-known Internet tools, such as whois and traceroute
to find which ISP is serving your problem site.  Notify the
postmaster/abuse (abuse@offending-domain.example) address that
they have an offender.  Be sure to pass on all header information
in your messages to help them with tracking down the offender.  If
they have a policy against using their service to post unsolicited
mail they will need more than just your say-so that there is a problem.
Also, the "originating" site may be a victim of the offender as well.
It's not unknown for those sending this kind of mail to bounce their
mail through dial-up accounts, or off unprotected mail servers at
other sites.  Use caution in your approach to those who look like
the offender.

        News spammers use similar techniques for sending spam to the
groups.  They have been known to forge headers and bounce posts off
"open" news machines and remailers to cover their tracks.  During
the height of the infamous David Rhodes "Make Money Fast" posts,
it was not unheard of for students to walk away from terminals which
were logged in, and for sneaky folks to then use their accounts
to forge posts.  Much to the later embarrassment of both the student
and the institution.

        One way to lessen problems is to avoid using mail-to
URLs, which allow email addresses to be easily harvested by
those institutions grabbing email addresses off the web.  If you
need to have an email address prevalent on a web page, consider using
a cgi script to generate the mailto address.

        Participate in mailing lists and news groups which discuss
unsolicited mail/posts and the problems associated with it.
News.admin.net-abuse.misc is probably the most well-known
of these.


6. WHAT'S AN ISP TO DO

        As an ISP, you first and foremost should decide what your stance
against unsolicited mail and posts should be.  If you decide not to
tolerate unsolicited mail, write a clear acceptable use
policy which states your position and delineates consequences for
abuse.  If you state that you will not tolerate use of your resource
for unsolicited mail/posts, and that the consequence will be loss
of service, you should be able to cancel offending accounts relatively
quickly.  (Verifying, of course, that the account really IS being
mis-used.)  If you have downstreaming arrangements with other
providers, you should make sure they are aware of any policy you set.
Likewise, you should be aware of your upstream providers' policies.

        Consider limiting access for dialup accounts so they
cannot be used by those who spew.  Make sure your mail servers aren't
open for mail to be bounced off them (except for legitimate users).
Make sure your mail transfer agents are the most up-to-date
version (which pass security audits) of the software.

        Educate your users about how to react to spew and spewers.
Make sure instructions for writing rules for mailers are clear and
available.  Support their efforts to deal with unwanted mail at
the local level - taking some of the burden from your sys admins.

        Make sure you have an address for abuse complaints.  If
complainers can routinely send mail to "abuse@BigISP.example" and you
have someone assigned to read that mail, workflow will be much
smoother.  Don't require people complaining about spam to use
some unique local address for complaints.  Read and use 'postmaster'
and 'abuse'.  We recommend adherence to RFC 2142, _Mailbox  Names
for Common Services, Roles and Functions._ [7].

        Finally, write your contracts and terms and conditions in such
language that allows you to suspend service for offenders, and so that
you can impose a charge on them for your costs in handling the
complaints their abuse generates and/or terminating their account
and cleaning up the mess they make.  Some large ISPs have found
that they can fund much of their abuse prevention staff by imposing
such charges.  Make sure all your customers sign the agreement before
their accounts are activated.  There is a list of "good"
acceptable use policies and terms of service at
http://spam.abuse.net/goodsites/index.html.

        Legally, you may be able to stop spammers and spam relayers,
but this is certainly dependent on the jurisdictions involved.
Potentially, the passing of spam via third party computers, especially
if the headers are forged, could be a criminal action depending on
the laws of the particular jurisdiction(s) involved.  If your site
is being used as a spam relay, be sure to contact local and national
criminal law enforcement agencies.  Site operators may also want to
consider the bringing of civil actions against the spammer for
expropriation of property, in particular the computer time and
network bandwidth.  In addition, when a mailing list is involved,
there is a potential intellectual property rights violation.

        There are a few law suits in the courts now which claim
spammers interfered with and endangered network connectivity.
At least one company is attempting to charge spammers for the
use of its networks (www.kclink.com/spam/).

7. SECURITY CONSIDERATIONS

        Certain actions to stop spamming may cause problems to
legitimate users of the net. There is a risk that filters to stop
spamming will unintentionally stop legitimate mail too. Overloading
postmasters with complaints about spamming may cause trouble to
the wrong person, someone who is not responsible for and cannot do
anything to avoid the spamming activity, or it may cause trouble
out of proportion to the abuse you are complaining about.  Be
sure to exercise discretion and good judgment in all these cases.
Check your local escalation procedure.  The Site Security Handbook
[2] can help define an escalation procedure if your site does not
have one defined.

        Lower levels of network security interact with the ability to
trace spam via logs or message headers.  Measures to stop various
sorts of DNS and IP spoofing can make this information more reliable.
Spammers can and will exploit obvious security weaknesses, especially
in NNTP servers.  This can lead to denial of service, either from the
sheer volume of posts, or as a result of action taken by upstream
providers.

8. ACKNOWLEDGMENTS

        Thanks for help from the IETF-RUN working group, and also
to all the spew-fighters.  Specific thanks are due to J.D. Falk,
whose very helpful Anti-spam FAQ proved valuable.  Thanks are also
due to the vigilance of Scott Hazen Mueller and Paul Vixie, who
run spam.abuse.net/, the Anti-spam web site. Thanks also
to Jacob Palme, Chip Rosenthal, Karl Auerbach for specific
text: Jacob for the Security Considerations section, Chip
for the configuration suggestions in section 5, Karl for the
legal considerations.  Andrew Gierth was very helpful with
Netnews spam considerations.  And thanks to Gary Malkin for
proofing and formatting.


9. REFERENCES

[1] See for example spam-l@peach.ease.lsoft.com

[2] Fraser, B. _Site Security Handbook, RFC 2196_,
    September 1997.  Available via anonymous ftp at
    ftp://ftp.isi.edu/in-notes/rfc2196.txt

[3] _Current Spam thresholds and guidelines_. Lewis, Chris and Tim Skirvin.
    http:www.uiuc.edu/~tskirvin/spam.html.

[4] Schwartz, Alan and Simson Garfinkel. _Stopping Spam_.
    O'Reilly and Associates, 1998.

[5] Crocker, D. _Standard for the format of ARPA Internet
    text messages; RFC 0822,_ August, 1982.  Available via anonymous
    ftp at:
    ftp://ftp.isi.edu/in-notes/rfc822.txt.

[6] Braden, R.T. _Requirements for Internet hosts - application
    and support; RFC 1123,_ October, 1989.  Available via anonymous
    ftp at:
    ftp://ftp.isi.edu.in-notes/rfc1123.txt.


[7] Crocker, D. _Mailbox Names for Common Services, Roles
    and Functions; RFC 2142,_ May, 1997.  Available via anonymous
    ftp at:
    ftp://ftp.isi.edu/in-notes/rfc2142.txt.

* Spam is a name of a meat product made by Hormel.  "spam" (no
capitalization) is routinely used to describe unsolicited bulk
email and netnews posts.

10. APPENDIX - HOW TO TRACK DOWN SPAMMERS

        In a large proportion of spams today, complaining to the
postmaster of the site that is the apparent sender of a message will
have little effect because either the headers are forged to disguise
the source of the message, or the senders of the message run their
own system/domain, or both.

        As a result, it may be necessary to look carefully at the
headers of a message to see what parts are most reliable, and/or to
complain to the second or third-level Internet providers who provide
Internet service to a problem domain.

        In many cases, getting reports with full headers from various
recipients of a spam can help locate the source. In extreme cases of
header forgery, only examination of logs on multiple systems can trace
the source or a message.

        With only one message in hand, one has to make an educated guess
as to the source. The following are only rough guidelines.

        In the case of mail messages, "Received:" headers added by
systems under control of the destination organization are most likely
to be reliable. You can't trust what the source domain calls itself,
but you can usually use the source IP address since that is determined
by the destination domain's server.

        In naive mail forgeries, the "Message-ID:" header may show the
first SMTP server to handle the message and/or the "Received:"
headers may all be accurate, but neither can be relied on.
Be especially wary when the Received: headers have other headers
intermixed.  Normally, Received: headers are all together in a block,
and when split up, one or the other blocks is probably forged.

        In the case of news messages, some part of the Path: header may
be a forgery; only reports from multiple sites can make this clear.
In naive news forgeries, the "NNTP-Posting-Host:" header shows the
actual source, but this can be forged too.

        If a spam message advertises an Internet server like a WWW
site, that server must be connected to the network to be usable.
Therefore that address can be traced. It is appropriate to complain
to the ISP hosting a web site advertised in a SPAM, even if the
origin of the spam seems to be elsewhere.  Be aware that the spam
could be an attack on the advertised site also, however -- the
perpetrator knows they'll get deluged with complaints and their
reputation will be damaged.  Any spam with an electronic address in
it is suspect because most spammers know they're unwelcome and won't
make themselves so readily accessible.

Here is an example mail header:

----

>From friendlymail@209.214.12.258.com Thu Feb 26 20:32:47 1998
Received: from clio.sc.intel.com by Ludwig.sc.intel.com (4.1/SMI-4.1)
        id AA05377; Thu, 26 Feb 98 20:32:46 PST
Received: from 209.214.12.258.com (209.214.12.258.com [208.26.102.16])
        by clio.sc.intel.com (8.8.6/8.8.5) with ESMTP id UAA29637
        for <sallyh@ludwig.sc.intel.com>; Thu, 26 Feb 1998 20:33:30 -0800 (PST)
Received: ok
X-Sender: promo1@gotosportsbook.com
X-Advertisement: <a href="http://www.opt-out.com">Click here to be removed.</a>
Date: Thu, 26 Feb 1998 23:23:03 -0500
From: Sent By <promo1@gotosportsbook.com>
Reply-To: Sent By <promo1@gotosportsbook.com>
To: friend@bulkmailer
Subject: Ad: FREE $50 in Sportsbook & Casino
X-Mailer: AK-Mail 3.0b [eng] (unregistered)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: friendlymail@aqua.258.com
Message-Id: <bulk.6508.19980226232535@aqua.258.com>
Status: R

----
        Doing a traceroute on an IP address or DNS address will show
what domains provide IP connectivity from you to that address.

        Using whois and nslookup, one can try to determine who is
administratively responsible for a domain.

        In simple cases, a user of a responsible site may be exploiting
an account or a weakness in dial-up security; in those cases a
complaint to a single site may be sufficient. However, it may be
appropriate to complain to more than one domain, especially when
it looks like the spammers run their own system.

        If you look at the traceroute to an address, you will normally
see a series of domains between you and that address, with one or more
wide-area/national Internet Service Providers in the middle and "smaller"
networks/domains on either end. It may be appropriate to complain to the
domains nearer the source, up to and including the closest wide-area ISP.
However, this is a judgement call.

        If an intermediate site appears to be a known, responsible
domain, stopping your complaints at this point makes sense.



Author Information
Sally Hambridge
Intel Corp, SC11-321
2200 Mission College blvd
Santa Clara, CA 95052
sallyh@ludwig.sc.intel.com

Albert Lunde
Northwestern University
2129 Campus Drive North
Evanston, IL 60208
Albert-Lunde@nwu.edu


--IAA26052.909158149/crotus.sc.intel.com--