Next iteration of draft....

[Sally Hambridge <sallyh@ludwig.sc.intel.com>]

IETF-Runners - here's the next iteration of our draft.
If there are no major objections by Wednesday June 25, I'd like
to send it to the i-d editor.

Sally
sallyh@ludwig.sc.intel.com
==========


IETF RUN Working Group                        Sally Hambridge
Internet-Draft                                Intel Corp. SC11-321
draft-ietf-run-spew-01.txt                    2200 Mission College Blvd
Expires September, 1997                       Santa Clara, CA 95070


                                DON'T SPEW
                 A Set of Guidelines for Mass Unsolicited
                         Mailings and Postings (Spam*)

Status of This Memo

     This document is an Internet-Draft.  Internet-Drafts are working
     documents of the Internet Engineering Task Force (IETF), its
     areas, and its working groups.  Note that other groups may also
     distribute working documents as Internet-Drafts. Comments on this
     draft should be sent to ietf-run@mailbag.intel.com.

 Internet-Drafts are draft documents valid for a maximum of six
     months and may be updated, replaced, or obsoleted by other
     documents at any time.  It is inappropriate to use Internet-
     Drafts as reference material or to cite them other than as
     ``work in progress.''

 To learn the current status of any Internet-Draft, please check
     the ``1id-abstracts.txt'' listing contained in the Internet-
     Drafts Shadow Directories on ftp.is.co.za (Africa),
     nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
     ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast).

Abstract

This document provides explains why mass unsolicited electronic mail
messages are not useful in the Internetworking community.  It gives
a set of guidelines for dealing with unsolicited mail for users,
for system administrators, news administrators, and mailing list
managers.  It also makes suggestions Internet Service Providers
might follow.

1. Introduction

        The Internet's origins in the Research and Education
communities played an important role in the foundation and formation
of Internet culture.  This culture defined rules for network etiquette
(netiquette) and communication based on the Internet's being relatively
off-limits to commercial enterprise.

        As we know, this all changed when US Government was no longer
the primary funding body for the US Internet, when the Internet truly
went global, and when all commercial enterprises were allowed to
obtain Fully Qualified Domain Names.  Internet culture had become
deeply embedded in the protocols the network used.  Although
the social context has changed, the technical limits of the
Internet protocols still require a person to enforce certain
limits on resource usage for the 'Net to function effectively.
Strong authentication was not built into the News and Mail protocols.
There was no end-to-end cost accounting and/or cost recovery.
Bandwidth is shared among all traffic without resource
reservation (although this is changing).

        Unfortunately for all of us, the culture so carefully nurtured
through the early years of the Internet was not fully transferred to all
those new entities hooking into the bandwidth.  Many of those entities
believe they have found a paradise of thousands of potential customers
each of whom is desparate to learn about stunning new business
opportunities.  Alternatively, some of the new netizens believe
all people should at least hear about the one true religion or
political party or process.

        While there may be thousands of folks desparate for any
potential message, mass mailings or Netnews postings are not at
all appropriate on the 'Net.  This document explains why mass
unsolicited email and Netnews posting (aka spam*) is bad, what to
do if you get it, what webmasters, postmasters, and news admins can
do about it, and how an Internet Service Provider might respond to it.

2. WHAT IS SPAM*?
        The term "spam" as it is used to denote mass unsolicited
mailings or netnews postings derives from a Monty Python sketch
set in a movie/tv studio cafeteria.  During that sketch, the word
"spam" takes over each item offered on the menu until the entire
dialogue consists of nothing but "spam spam spam spam spam spam
and spam".  This so closely resembles what happens when mass
unsolicited mail and posts take over mailing lists and netnews groups
that the term has been pushed into common usage in the Internet
community.

        When unsolicited mail is sent to a mailing list and/or
news group it frequently generates more hate mail to the list
or group by people who do not realize the source of the mail.
If the mailing contains suggestions for removing your name from
a mailing list, 10s to 100s of people will respond to the list
with "remove" messages meant for the originator. So, the original
message (spam) creates more unwanted mail (spam spam spam spam),
which generates more unwanted mail (spam spam spam spam spam spam
and spam.)  Similar occurances are perpetuated in newsgroups, but
this is held somewhat in check by "cancelbots" (programs which
cancel postings) triggered by mass posting.

3. WHY MASS MAILING IS BAD
        In the world of paper mail we're all used to receiving
unsolicited circulars, advertisements, and catalogs.  Generally
we don't object to this - we look at what we find of interest, and
we discard/recycle the rest.  Why should receiving unsolicited
email be any different?

        The answer is that the cost model is different.  In the
paper world, the cost of mailing is borne by the sender.  The sender
must pay for the privilege of creating the ad and the cost of mailing
it to the recipient.  In the world of electronic communications, the
recipient bears the majority of the cost.  Yes, the sender still has
to compose the message and the sender also has to pay for Internet
connectivity.  However, the receipient ALSO has to pay for Internet
connectivity and possibly also connect time charges, so for electronic
mailings the recipient is expected to help share the cost of the
mailing.

        Of course, this cost model is very popular with those looking
for cheap methods to get their message out.  By the same token, it's
very unpopular with people who have to pay for their messages just to
find that their mailbox is full of junk mail.  Consider this: if you
had to pay for receiving paper mail would you pay for junk mail?

        Frequently spammers indulge in unethical behavior such as
using mail servers which allow mail to be relayed to send huge amounts
of electronic solicitations.  Or they forge their headers to make it
look as if the mail orginates from a different domain.   These
kinds of people don't care that they're intruding into a personal
or business mailbox nor do they care that they are using other
people's resources without compensating them.

        But what about free speech?  Doesn't the US Constitution
guarantee the ability to say whatever one likes?  First, the
US Constitution is law only in the US, and the Internet is global.
There are places your mail will reach where free speech
is not a given.  Second, the US Constitution does NOT guarantee
one the right to say whatever one likes.  The example of yelling
"FIRE" in a crowded theater comes to mind.  In general, the US
Constitution refers to political freedom of speech and not to
commercial freedom of speech. Finally, there are laws
which govern other areas of electronic communication, namely the "junk
fax" laws.  Although these have yet to be applied to electronic mail
they are still an example of the "curbing" of "free speech." Free
speech does not, in general, require other people to spend
their money and resources to deliver your message.

        The crux of sending large amounts of unsolicited mail and
news is not a legal issue so much as an ethical one.  If you are
tempted to send unsolicited "information" ask yourself these
questions:  "Whose resources is this using?"  "Did they consent
in advance?"  "What would happen if everybody (or a very large
number of people) did this?" "How would I feel if 90% of the mail
I received was advertisements for stuff I didn't want?" "How would
I feel if 95% of the mail I received was advertisements for stuff
I didn't want?"  "How would I feel if 99% of the mail I received
was advertisements for stuff I didn't want?"

        Although hard numbers on the volume and rate of increase
of spam are not easy to find, seat-of-the-pants estimates from the
people on the spam mailing list [1] indicate that unsolicited
mail/posts seems to be following the same path of exponential growth as
the Internet as a whole [2].  This is NOT encouraging, as this
kind of increase puts a strain on servers, connections, routers,
and the bandwidth of the Internet as a whole.

        Finally, sending large volumes of unsolicited email or posting
voluminous numbers of Netnews postings is just plain rude.  Consider
the following analogy:  suppose you discovered a large party going on
in a house on your block.  Uninvited, you appear, then join each group
in conversation, force your way in, SHOUT YOUR OPINION of whatever you
happen to be thinking about at the time, drown out all other conversaion,
then scream "discrimination" when folks tell you you're being rude.

        To continue the party analogy, if instead of forcing
your way into each group you stood on the outskirts a while and
listened to the conversation.  Then you gradually began to add
comments relevant to the discussion.  Then you began to tell
people your opinion of the issues they were discussng, they
would probably be less inclined to look badly on your intrusion.
Note that you are still intruding.  And that it would still be
considered rude to offer to sell products or services to the
guests even if the products and services were relevant to the
discussion.  You are in the wrong venue and you need to find
the right one.

4a. ACK!  I'VE BEEN SPAMMED - NOW WHAT?

        It's unpleasant to receive mail which you do not want.  It's
even more unpleasant if you're paying for connect time to download it.
And it's really unpleasant to receive mail on topics which you find
offensive.  Now that you're good and mad, what's an appropriate
response?

        First, you always have the option to delete it and get on with
your life.  This is the easiest and safest response.  It does not
guarantee you won't get more of the same in the future, but it does
take care of the current problem.

        Second, send the mail back to the originator objecting to your
being on the mailing-list.  (Check the headers carefully to find
this information.  Get your local support staff to help you if you
do not know how to do this.)  Be aware, though, that many folks who
develop these lists take "Please desist" messages and throw them
away.  Alternatively, they take these messages and create mailing-lists
to sell to others.  Still, it is a way to register your disapproval.

        Next, be sure to carbon copy the postmaster of the
offending site.  You can do this by sending mail To:
Postmaster@offending-site.domain.  Again, many organizations which
send unsolicited mail have this address aliased to go nowhere.
But it can't hurt.  Good sites are now using an "abuse" address for
people to complain about spam.  Send complaints about unsolicited
mail and posts to abuse@offending-site.domain.

        Cc your own postmaster if your organization allows this.
Your organization may have the ability to block incoming unwanted
mail, so it doesn't hurt to let your postmaster know you're getting
unwanted mail.  This is especially true if the mail is offensive.

        If your personal mailer allows you to write rules, write
a rule which sends mail from the originator of the unwanted mail to
the trash.  That way, although you still have to pay to download it,
you won't have to read it!

        Finally, DO NOT respond by sending back large volumes of
unsolicited mail.  Two wrongs do not make a right; do not become
your enemy; and take it easy on the network.

4b. THERE'S A SPAM IN MY GROUP!
        Netnews is also subject to spamming.  Here, several factors
help to mitigate against the propagation of spam in news,
although they don't entirely solve the problem.  Newsgroups
and mailing lists may be moderated, which means that a moderator
approve all mail/posts.  If this is the case, the moderator
usually acts as a filter to removed unwanted and off-topic
posts/mail.

        In Netnews, there are programs which detect posts which
have been sent to multiple groups or which detect multiple posts
from the same source to one group.  These programs cancel the posts.
While these work and keep unsolicited posts down, they are not 100%
effective and spam in newsgroups seems to be growing at an even
faster rate than spam in mail or on mailing lists.  After all, it's
much easier to post to a newsgroup for which there are thousands of
readers than it is to find individual email addresses for all those
folks.  Hence the development of the "cancelbots" (sometimes called
"cancelmoose") for Netnews groups.  Cancelbots are triggered when
one message is sent to a large number of newsgroups or when many
small messages are sent (from one sender) to the same newsgroup.
In general these are tuned to the "Breidbart Index" [3] which is a
somewhat fuzzy measure of the interactions of the number of
posts and number of groups.  This is fuzzy purposefully, so that
people will not post a number of messages just under the index
and still "get away with it." Still, spam gets through, so
what can a concerned netizen do?

        If there is a group moderator, make sure s/he knows that
off-topic posts are slipping into the group.  If there is no
moderator, you could take the same steps for dealing with news
as are recommended for mail with all the same caveats.


5. HELP FOR BELEAGUERED ADMINS

        As a system administrator, news administrator, local Postmaster,
or mailing-list administrator, your users will come to you for help
in dealing with unwanted mail and posts.  First, find out what your
institution's policy is regarding unwanted/unsolicited mail.  It  is
possible that it won't do anything for you, but it is also possible to
use it to justify blocking a domain which is sending particularly
offensive mail to your users.  If you don't have a clear policy,
it would be really useful to create one.  If you are a mailing-list
administrator, make sure your mailing-list charter forbids off-topic
posts. If your internal-only newsgroups are getting spammed from
the outside of your institution, you probably have bigger problems
than just spam. (Ref here to Site Sec Handbook??  Gary - your opinion?)

        Make sure that your mail and news transports are configured so
that you don't inadvertantly contribute to the spam problem.
Ensure your mail and news transports are configured to reject
messages injected by parties outside your domain.  SMTP source
routing <@relay.host:user@dest.host> is becoming depreciated
due to its overwhelming abuse by spammers.  Consider configuring
your mail transport to reject relayed messages (when neither
the sender nor the recipient are within your domain).  Consider
configuring your firewall to prohibit SMTP (mail) and NNTP
(news) connections from clients within your domain to outside
servers.  Ensure that messages generated within your domain
have proper identity information in the headers, and users
cannot forge headers.

        If you have the capability (are running a mail transfer agent
which allows it) consider blocking well known offending sites from
ever getting mail into your site.  However, it is a well-known
problem that offenders create domains more quickly than postmasters
can block them.  Also, help your users learn enough about their
mailers so that they can write rules to filter their own mail, or
provide rules and kill files for them to use.

        Use well-known Internet tools, such as whois and traceroute
to find which ISP is serving your problem site.  Notify the
postmaster/abuse address that they have an offender.  Be sure to
pass on all header information in your messages to help them with
tracking down the offender.  If they have a policy against using their
service to post unsolicited mail they will need more than just your
say-so that there is a problem.  Also, the "originating" site may be
a victim of the offender as well.  It's not unknown for those sending
this kind of mail to bounce their mail through dial-up accounts, or
off unprotected mail servers at other sites.  Use caution in your
approach to those who look like the offender.

        News spammers use similar techniques for sending spam to the
groups.  They have been known to forge headers and bounce posts off
"open" news machines and remailers to cover their tracks.  During
the height of the infamous David Rhodes "Make money Fast" posts, it
was not unheard of for students to walk away from terminals which were
logged in, and for sneaky folks to then use their accounts to forge
posts.  Much to the later embarrassment of both the student and the
institution.

        Participate in mailing lists and news groups which discuss
unsolicited mail/posts and the problems associated with it.
News.admin.net-abuse.announce is probably the most well-known
of these.

6. WHAT'S AN ISP TO DO

        As an ISP, you first and foremost should decide what your stance
against unsolicited mail and posts should be.  If you decide not to
tolerate unsolicited mail, write a clear acceptable use
policy which states your position and deliniates consequences for
abuse.  If you state that you will not tolerate use of your resource
for unsolicited mail/posts, and that the consequence will be loss
of service, you should be able to cancel offending accounts relatively
quickly.  (Verifying, of course, that the account really IS being
mis-used.)  If you have downstreaming arrangements with other
providers, you should make sure they are aware of any policy you set.
Likewise, you should be aware of your upstream providers' policies.

        Consider limiting access for dialup accounts so they
cannot be used by those who spew.  Make sure your mail servers aren't
open for mail to be bounced off them.  Make sure your mail transfer
agents are the most up-to-date version (which pass security audits)
of the software.

        Educate your users about how to react to spew and spewers.
Make sure instructions for writing rules for mailers are clear and
available.  Support their efforts to deal with unwanted mail at
the local level - taking some of the burden from your sys admins.

        Make sure you have an address for abuse complaints.  If
complainers can routinely send mail to "abuse@BigISP.com" and you
have someone assigned to read that mail, workflow will be much
smoother.   And you'll be counted as good Internetworking citizens
as well.

        Finally, write you contracts nad terms and conditions in such
language that allows you to suspend service for offenders.  Make sure
all your customers sign it before their accounts are activated.

6. SECURITY
        Certain actions to stop spamming may cause problems to
legitimate users of the net. There is a risk that filters to stop
spamming will unintentionally stop legitimate mail too. Overloading
postmasters with complaints about spamming may cause trouble to
the wrong person, someone who is not responsible for and cannot do
anything to avoid the spamming activity, or it may cause trouble
out of proportion to the abuse you are complaining about.

7. ACKNOWLEDGEMENTS
        Thanks for help from the IETF-RUN working group, and also
to all the spew-fighters.  Specific thanks are due to J.D. Falk,
whose very helpful Anti-spam* FAQ proved helpful.  Thanks are also
do to the vigilence of Scott Hazen Mueller and Paul Vixie, who
run www.spam.abuse.net/, the Anti-spam* web site. Thanks also
to Jacob Palme and Chip Rosenthal for specific tect: Jacob for
the Security Considerations section, and Chip for the configuration
suggestions in section 5.

8. REFERENCES
[1] As reported in messages on the spam@zorch.sf.bay.org (private)
    mailing list in May, 1997.

[2]  Holbrook, J.P.; Reynolds, J.K. "Site Security Handbook; RFC 1244,"
     July 1991.  Available via anonymous ftp at
     ftp://ds.internic.et/rfc/rfc1244.txt

[3] _Current Spam thresholds and guidelines_. Lewis, Chris and Tim Skirvan.
    http:www.uiuc.edu/ph/www/tskirvan/spam.html.

* Spam (R) is a registered trademark of a meat product made by Hormel.

Author Information
Sally Hambridge
Intel Corp, SC11-321
2200 Mission College blvd
Santa Clara, CA 95052
sallyh@ludwig.sc.intel.com