Updates
0. Introduction
1. No email relaying
2. Traceability of email passing through the system
3. Identification of the sender of email
4. Handle abuse reports
5. Act upon reports of abuse
6. Deny use of UBE for promotion
7. Prohibit the distribution of UBE tools and address lists by customers
8. Disseminate information on action taken against customers
9. Education
A: Glossary
B: References and Resources
C: Specimen Clauses
D: Definition of Normative Terms
Unsolicited Bulk Email (UBE) is a widespread problem on the Internet. It is sometimes called "junk email" or "spam". Because of the volumes involved and the indiscriminate nature of its sending, there can be few email users who do not have first hand experience of receiving UBE, often in significant quantity.
Furthermore
It is resource intensive and to a large extent ineffective for ISPs to try to block UBE once it has been sent, so this BCP does not describe the limited manner in which this may be attempted. In the fight against UBE the ISP's most practical contribution is to minimise or eliminate the sending (or other use) of UBE by its customers or from its systems. The purpose of this BCP is to describe the industry's current collective opinion of the Best Practice in achieving this.
Besides being in the general interest for ISPs to adopt Best Practice, many ISPs will wish to be publicly seen to be doing what they can to combat UBE. To that end, it is expected that ISPs will wish to state formally that they have adopted the recommendations of this BCP. To assist in this, the document has been written as a "standard", using the terms MUST, SHOULD, MAY and MUST NOT as defined in RFC 2119 (see Appendix D for a summary of this).
These nine points are expanded below.
Along with the extended explanations, this BCP lists a number of conditions that ISPs MUST impose upon their customers. It will be necessary to ensure that the contract made between ISP and customer gives the ISP the legal right to make these impositions and to withdraw services when unacceptable behaviour occurs.
To ensure fair competition between ISPs, so that no marketing advantage can be gained by failing to spell out these obligations properly, the ISP MAY use the standard clauses set out in Appendix C and MUST use these clauses or others which are at least as effective. The ISP MAY place these clauses into a more general Acceptable Use Policy (AUP) that covers other abuse issues.
The provisions of this BCP document are to be applied to all customers. However, some customers will have customers of their own. The ISP will conform to Best Practice by ensuring that such customers adopt this BCP themselves, and thereby apply Best Practice procedures in turn to their own customers.
Appendix A provides a glossary of terms, but in particular, throughout this document the term "ISP" should be understood to apply not only to "top level" providers of Internet connectivity, but also to customers of such ISPs who are "recursively" applying the BCP to their own customers. Also, the term "customer" should be understood to apply not only where there is a formal contractual relationship, but also to other cases where someone may be a "user" of the ISP's facilities.
Historically, e-mail systems using the SMTP protocol have been prepared to accept email from anyone and then deliver it to, or towards, its true destination. This willingness to "relay" made Internet email extremely robust, since minor configuration errors on one machine could be overcome by another machine with more accurate knowledge of how to deliver the email. Furthermore, the spirit of co-operation that pervades the Internet has meant that machine owners tended not to log, let alone block, such relaying.
With the advent of the Domain Name System (DNS) and far better connectivity for all machines, this need for relaying passed away long ago. However, the functionality continues to be provided within email programs.
Unfortunately, in recent times, the unscrupulous have been abusing the "relay" function by sending a single piece of email with a long list of destinations. This can cause someone else's system to generate multiple copies of the e-mail for delivery to many different addresses. By "amplifying" email in this way, the sender of UBE is exploiting the resources of others to do most of the work of generating the UBE. Furthermore, it is possible for the sender to use a poorly configured system to hide the true source of the email or at least to ensure that the less skilled misidentify its source.
As it is no longer required and because it is open to abuse, it is now considered quite improper for systems to be configured in such a way that they will relay e-mail for unauthorised people.
There are several ongoing projects on the wider Internet to identify systems that are still prepared to relay email. Typically, such systems are added to blocking lists that affect the propagation of e-mail. Even if one wished to run an "open relay" the time is approaching when few will be prepared to interwork with such a system.
It is common for ISPs to run "smarthosts", which provide SMTP email delivery for their customers, especially those on dial up connections or local networks. This avoids the necessity for these customer machines to have fully fledged delivery systems of their own. This "smarthosting" is just a form of relaying, but is of course a completely acceptable practice, provided that the smarthost is configured to refuse to relay any email sent to it by unauthorised machines.
Appendix B contains pointers to technical information about how to ensure that email relaying does not occur.
Appendix C contains specimen contractual clauses to allow these, and other, requirements to be implemented.
Tracing the source of email requires that all systems comply with the email standards and add a "Received" header line as the email passes through them. This serves to identify the machine that is adding the header and the machine from which the email arrived. In principle, the oldest such line indicates the source of the email. In practice, this is sometimes forged, and to trace the true sender it is necessary to work through the Received lines in time order until a discontinuity is found.
The senders of email will sometimes try to obscure the true origin of email by forging the name of the source machine in the "HELO" protocol command. This type of forgery is made easy to detect by ensuring that the Received line contains not only the name, but also the IP address of the sending system, since the latter cannot be disguised.
Section 2 has the effect of ensuring that email can be traced back to an originating IP address.
With dial up access, it is common to use "dynamic IP", so that the same address will be reused for other customers. ISDN connections take only a few seconds, so in principle the same IP address can almost immediately be in use by another person entirely.
However, the combination of IP address and time of connection will uniquely identify where the e-mail came from. So an accurate time must be recorded into the email header Received line. The combination of this time with other access logs, held by the originating ISP, will serve to identify the sender.
The above description has only skimmed the surface of a complex topic. The LINX Best Current Practice document on "Traceability" (see Appendix B) can be consulted for further information and advice.
An exception to Sections 2 and 3 arises in the case of a system run to deliberately hide the source of email - often called an "anon server". "Anon servers" are used to preserve anonymity where, for example, someone seeks help from a group supporting victims of abuse or wishes to express political views in a country that may punish dissent.
ISPs are required to accept and process e-mailed reports about abuse by their own customers, whatever person or organisation may send the reports.
If a customer posts UBE then complaints are likely to be made to the ISP. These complaints have in the past, by convention, generally been sent to the "postmaster" mailbox. More recently it has become desirable to direct such email to a specialist "abuse" mailbox. This practice was first fully documented in RFC2142.
Some ISPs are developing specialised reporting systems that, for example, allow complaints to be entered into a form on a website. There are many advantages to such systems in that they ensure that reports are complete and they can boost productivity, allowing prompt and efficient handling of the reports. However, they have disadvantages in that they can only be used online and at present there are no standard conventions for their layout or their location. Therefore, although ISPs may wish to encourage their use and to develop other automated submission systems for third-party sites that collate reports from many people, it is not appropriate, at present, to see them as entirely replacing e-mail reports.
It is often "obvious" which ISP is responsible for particular IP addresses and hence which "abuse" mailbox to use. However, in some cases it may be necessary to consult the appropriate Regional Registry (such as RIPE NCC) in order to determine IP address ownership. It has therefore become standard practice to document within registry entries the explicit abuse@isp -mail address to be used. It is important that complaints continue to be accepted at the "obvious" address even though the registry entry may indicate that another address is to be preferred. At present, registry entries can only record abuse mailbox details by means of comment fields, which inhibits automatic processing, but a formally specified system may be introduced in the future.
When a complaint is received, it is wise to promptly acknowledge it, perhaps merely with a standard message that describes the local policies and procedures.
It is desirable to run a "ticketing" system that allows incident reports to be tracked. This will assist in combining reports and in collating further correspondence that may arrive from the original complainant.
It is also desirable to reply to people who submit complaints to explain what action is eventually decided upon. Sometimes, especially when a large number of reports are being received, this is not very practical. The standard message described above can usefully explain that this may happen, and it may be possible to direct people to a website where any action taken by the ISP will be recorded (see Section 6 below).
Requirements
There is no acceptable excuse for the sending of unsolicited bulk email.
Apart from people pleading ignorance of the unacceptable nature of UBE, which is covered in the requirements section below, the most likely explanation will be a claim that the e-mail was in fact solicited.
In determining whether to accept this explanation the ISP must look at how the e-mail addresses were acquired. Data Protection legislation will normally require that information is processed "fairly and lawfully". In particular, the ISP should look for positive answers to all the following questions:
All EU countries have legislation implementing EC Directive 2002/58/EC and its forerunners 95/46/EC and 97/66/EC; in most cases the questions above will reflect the primary concerns of the legislation.
The effect of these tests is that posting articles to Usenet or the mere visiting of a website does NOT make the subsequent sending of bulk email "solicited". Nor does it make it likely that acquiring lists of e-mail addresses from a third party will mean that a customer has acquired any entitlement to send solicited e-mail to those addresses
Clearly, where someone has explicitly signed up for a mailing list the email that arrives is solicited. However, in the real world some mailing lists are dormant for long periods and the people who join them can have poor memories. When email does arrive it may be reported to the mailing list owner's ISP as being unsolicited. Since the same software can be used to send genuine requested mailing list email and UBE, the ISP will have to apply the tests given above to distinguish the two cases.
Mailing list owners can demonstrate that they are behaving responsibly by keeping good records. Ideally they would be able to produce a copy of the "subscribe" email for the list and would have checked it out at the time by "mailback" confirmation techniques to ensure that a third party had not maliciously requested the subscription. It is of course vital that the recipient of the unwanted email can unsubscribe from the list. Modern mailing list software packages automate all these procedures. There is a great deal more about this topic in the LINX Best Current Practice document on "Operating Mailing Lists" (see Appendix B).
As discussed at the start of this document, ISPs may have customers large enough to apply this BCP on their own account, and manage their own customers or users. In these cases the ISP may depend on their customer to deal with the sender of UBE, and need not apply the sanctions discussed below, such as disconnecting these large customers from the Internet. However, the ISP remains accountable to the wider community, which will expect the ISP to be reasonably assured that their customer will indeed take suitable action in the ISP's stead.
Improvements in filtering technology have led many senders of UBE to move much of the content of their message from the email to a website or other medium, and to direct their recipients towards that secondary source. Traffic coming to such websites provides the incentive for senders to keep sending UBE, and much UBE would not exist or would be more readily controlled but for the existence of these websites.
It is not acceptable to use UBE to promote websites or other secondary services, nor is it acceptable to use such services to promote or reap the benefits of sending UBE. Accordingly, use of UBE to promote a website or other service must be treated as an abuse not only of the e-mail service used to send the UBE, but also as infringing the conditions of use of the website or other service promoted by the UBE. The expectation should be that promoting websites via UBE will result in them being shut down.
The unacceptability of using UBE for promotion and the necessity of taking action against websites is not affected by there being more than one ISP involved. Each ISP is expected to take effective action against their particular customer.
In some cases a franchise system is in operation and a central, legitimately operated, website is promoted by UBE sent by a franchisee without the knowledge or permission of the central website owner. In such circumstance UBE will only be eliminated if the website owner takes firm action to disenfranchise the UBE sender and to ensure that they do not profit from their abuse. ISPs providing services to such websites must satisfy themselves that appropriate control mechanisms are in place before concluding it would be unfair to suspend the website and letting it remain operational.
In some cases websites are promoted by third parties who misrepresent the nature of the email they will send, so that UBE is sent on behalf of the website owner. In such circumstances the website owner will look to their service contract with the third party for recompense for the significant damage that will have been done to their reputation. Provided that the ISP is satisfied that the problem will not recur it would clearly be unreasonable to suspend the website.
If a 'two strikes' policy is applied:
Some businesses promote the sending of UBE by making available programs for bulk email sending or e-mail address harvesting, and may also sell their own lists of e-mail addresses. Since using these products is unacceptable, the community considers the promotion of these products, usually on the web, as also being unacceptable. Although the major league senders of UBE use their own systems, the ability to obtain "kits" for sending UBE encourages others to attempt to use them and so there is a real benefit in suppressing these kits.
Of course many products have entirely legitimate uses in handling mailing lists run on an opt-in basis and there is no question of preventing these products being promoted. However, legitimate products do not provide methods for hiding the source of e-mail or for seeking out and using third party machines.
Similarly, there are a few legitimate sellers of address lists, although such lists are unusual because of the necessity of complying with Data Protection principles. It is regrettable to note that many alleged "opt-in" lists turn out to be incorrectly described.
There are a number of advantages to making public any action taken against customers who have sent UBE:
However, when publishing information about the action that has been taken it is vital to be accurate and matter of fact, for otherwise there is a risk of an action for defamation.
It is also necessary to comply with Data Protection legislation. This may not apply to companies - so their full name and address can be published; but with individuals it would almost certainly be necessary to avoid exact identification unless contractual steps had been taken to allow this information to be released when abuse had occurred.
The sort of report which would cause no problems would be along the lines of "On <date> we terminated the account known as <[email protected]> because of its use in sending Unsolicited Bulk Email. Further reports of abuse by this account are unnecessary."
In addition to any public reporting, an ISP will wish to take such steps as are possible to disseminate information about abuse within its own organisation. It is not good practice to allow terminated accounts to be reopened, or the same individual, detectable by name, address or perhaps credit card, to immediately open a new account to replace the previous one.
ISPs need to take steps to educate their customers in acceptable e-mail behaviour. It is recognised that ISPs may have difficulty in doing this because their marketing departments wish to play up the advantages of the Internet and downplay negative issues.
Many reports of abuse that are received by ISPs do not contain vital information that will allow action to be taken. Customers forget, for example, to include full header information, which is needed to properly identify the sender. Customers can also let their feelings run away with them and heap abuse on the abuse handling personnel.
It is the responsibility of everyone to try and improve this situation so that fewer inadequate or objectionable reports are sent, and less time is wasted dealing with such reports and less frustration is experienced by all concerned.
Many ISPs now operate e-mail filtering systems that attempt to distinguish UBE from legitimate e-mail and block or redirect the UBE. Systems may also attempt to detect mass-mailing email "worms" or "viruses". These systems are not perfect and will let through some UBE and some worms and can, on occasion, also disrupt the flow of items of legitimate email. It is important that ISP customers are aware of whether filtering is occurring, the type of system that is deployed, and hence the likely risk of email disruption.
Because reports sent to "abuse@" mailboxes are highly likely to contain copies of UBE or viruses, it is most important that this email does not pass through filtering systems that discard or reject this type of e-mail.
An extension to the contract between ISP and customer that sets out what the customer may and (mainly) may not do whilst using the ISP's services.
A description of the best practice presently known to the industry.
The distributed system that provides a translation service between names and IP addresses. It is described in RFC 1035.
A command within the SMTP email protocol, used to announce the name of a remote machine.
A basic protocol for exchanging packets between machines on the Internet. Other protocols are layered upon this to provide services for users. It is described in RFC 791 and RFC 1122.
ISP is used in this document as a generic term to describe companies and organisations that provide Internet access to others. It is also used to describe customers of ISPs who have adopted this BCP and are applying it to their own customers in the ISPs stead.
The LINX is a totally neutral, not for profit partnership between ISPs. It operates the major UK Internet exchange point. As well as its core activity of facilitating the efficient movement of Internet traffic it is involved in non-core activities of general interest to its members. One such activity on "content regulation" has, as part of its work, generated the document from which this RIPE Document is derived.
A protocol for obtaining an accurate measurement of the current time described in RFC 1119 and RFC 1305.
The RFCs are a series of notes, started in 1969, about the Internet (originally the ARPANET). The notes discuss many aspects of computing and computer communication focusing in networking protocols, procedures, programs, and concepts, but also including meeting notes, opinion, and sometimes humour. The Internet standards are documented within the RFC documents.
RIPE is a collaborative forum open to all parties whose objective is to ensure the administrative and technical coordination necessary to enable the operation of the Internet within the RIPE NCC service region.
The RIPE NCC is the Regional Internet Registry for Internet number resources in Europe, the Middle East and parts of Asia. The organisation also facilitates RIPE Meetings and RIPE Working Groups.
The email transfer protocol. It is currently documented in RFC 2821.
UBE is email that has been sent in large amounts without any explicit requests for it being made. It is sometimes called "junk email" or "spam". At present it usually contains advertising material for commercial ventures of dubious propriety.
Some discussion of UBE distinguishes unsolicited e-mail that is commercial in nature from non-commercial material. This document treats UBE as unacceptable per se, avoiding the need for value judgments on what may or may not be "commercial".
1. The RIPE NCC is not responsible for the content of third-party sites, and does not necessarily endorse their contents.
2. It is recognised that the links referred to here may not be available or current at any time in the future.
There are many sites on the Internet that discuss unsolicited email in general.
Some of the more interesting ones are:
There is almost certainly a discussion of the prevention of unauthorised email relaying on the home site of all mail-handling software.
Some examples include:
For a comprehensive survey of pointers to information about e-mail server software, see the MAPS Transport Security Initiative
There are also generic products that can be used with many systems to control relaying. Mailshield is a commercial example.
You can test if your system allows unauthorised relaying.
LINX Best Current Practice Documents:
All published RFCs are available from:
http://www.ietf.org/rfc.html
The following are clauses that ISPs may use in their Terms and Conditions and elsewhere to support the enforcement of sanctions against senders and promoters of UBE, as required to conform to this BCP. In these model clauses the ISP is referred to as "we"/"us" and the customer as "you"/"your". ISPs may wish to replace these by other defined terms from their own paperwork.
You must ensure that you do not further the sending of Unsolicited Bulk Email (UBE) by others. This applies to both material that originates on your system and also third party material that might pass through it.
This includes but is not limited to a prohibition on running an "open mail relay", such as a machine which accepts mail from unauthorised or unknown senders and forwards it onward to a destination outside of your machine or network. If your machine does relay mail, on an authorised basis, then it must record its passing through your system by means of an appropriate "Received" line.
As an exception to the ban on relaying and the necessity for a "Received" line, you may run an "anonymous" relay service provided that you monitor it in such a way as to detect unauthorised or excessive use.
We may, at our discretion, run manual or automatic systems to determine your compliance with our AUPs (e.g. scanning for "open mail relays"). You are deemed to have granted permission for this limited intrusion onto your network or machine.
You may not use your account to send unsolicited bulk email. You must have explicit permission from all destination addresses before you send an e-mail to multiple recipients.
Websites must not be advertised by you, or by another person, using techniques that would be classified as "abuse" if they were carried out using a service provided by us. This includes, but is not limited to, the sending of unsolicited bulk email. Such action will be treated under this AUP as if it had been done using your account.
You must not offer or distribute any of the following products or services:
This is a summary of the contents of RFC 2119 "Key words for use in RFCs to Indicate Requirement Levels". Readers are encouraged to consult the full document for guidance.