Anti-spam WG Minutes September 1999
- Date: Wed, 16 Feb 2000 17:14:37 +0000
Apologies for the late distribution.
Thanks to Gerry Berthauer for these minutes
-- he did his bit in good time.
RIPE anti-spam Working Group
RIPE 34 Meeting, 23 Sep 1999, Amsterdam
Chair: Rodney Tillotson, UKERNA
Scribe: Gerry Berthauer RIPE NCC
1.2 Note taker
Note taker is Gerry Berthauer of RIPE NCC.
1.3 Agree agenda
2.1 Recent list discussion
2.2 Other developments
2.2.1 Collateral spamming
Spamming which pretends (in MAIL FROM:) to come from your domain and
perhaps from real email addresses causes grief and is time-consuming
There is a draft note and information in a JANET paper:
The chair asked sbout the current state of collateral spamming.
It is increasing. Examples from the audience:
- Domain forging moves out of the US
- Increase of spamming through offshore and Japanese relays
- Collateral spamming from Hong Kong domains
- More relaying from Yahoo.
2.2.1 European legislation.
Keith Mitchell: After lobbying by the direct marketing industry in the
EU, a strong battle has to be fought with the direct marketing
industry with regards to opt-out/opt-in.
Roland Perry at LINX knows more about this (roland@localhost).
3. Code of conduct
We did not discuss AUPs on their own but Conditions of Service are
mentioned several times in the notes which follow.
3.2 The LINX BCP
3.2.1 Keith Mitchell gave a brief presentation.
The document is a statement of good practice for ISPs, and it attempts
to present all the anti-spam activities needed, in an organized way.
The document uses the term UBE instead of spam.
It is based on seven principles:
+ No unauthorized relaying.
+ Mail must be traceable.
+ Mail from within your network must be traceable to a particular
customer or system.
+ You must investigate reports about abuse by your customers.
+ If your customers spam you must take some action;
you must use terms of service that allow you to take action.
+ You must provide information on the action taken.
+ You must educate your customers so that they know what UBE is,
and they know what you will do if they send it.
3.2.2 Issues raised
Is there any experience with closing the accounts of customers?
Yes. If abuse has been proven, the customer will be cut off if
it's in the written agreement between the customer and the ISP.
Cutting off or refusing customers is a cost to the business which
sometimes leads to a conflict of interest for management.
Subscription-free accounts need special solutions, such as
limiting their ability to originate mail or to have it relayed.
Another conflict may arise when end users receive spam with 'free
coupons' or other inducements. The end users may then like it and
even want more of it.
Big organizations, banks, insurance companies or any other company
with open relays just don't care about the goal of reducing spam.
They are only interested when their own mail doesn't work, but you
could explain that open relays are a security risk.
The chair asks the attendees to take a look at the LINX document
and to come up with comments.
3.2.3 Any other suggestions:
Send spammers an invoice.
The danger of sending your own customers an invoice is that although
this is meant to discourage them from using an account for spam, it
looks like setting up a price list for spammers.
Charging customers in addition to closing their accounts may be
useful if your conditions of service support it.
That is not a problem for people in other networks who send you spam
(though sending invoices is not cheap and will rarely work).
Try to go after advertisers.
This is hard; having registered mail bounced from a non-existing P.O.
box or calling the advertiser's premium phone number (Germany:1-900)
to complain costs money.
Discuss spamming with the (marketing) management of your own ISP.
Explain that open relays are a security risk.
Spam sent from own domain can be seen as an infringement of
EuroCAUCE have a lot of material -- http://www.euro.cauce.org/.
RFC 2505 (mainly technical) and RFC 2635 are useful.
A Code of Conduct may not work in Germany if a spam victim sets
the spammer liable.
3.3 Opt-OUT and opt-IN
Telephone, fax and paper mail opt-OUT schemes work.
Any traces of opt-OUT arrangements working for e-mail? None reported.
Worries about large organizations who will (ab)use opt-OUT for spam
purposes. Potential of abuse of opt-OUT lists is significant.
What is the intention of your mail address?
- For you, to get the mail you want?
- For others, to send the mail they want to send to you?
The LINX are hoping to define a code for setting up a mailing list
since there is a need to do something positive for the opt-IN idea.
4. Assistance to CERTs
4.1 Reading mail headers.
(read the O'Reilly spam book 1-56592-388-X)
Has anybody got other pointers to advice for people who are interested
but are not mail specialists?
5.1 Simple anti-relaying tools for people to apply
It is hard to close open relays in small companies far away with no
response at all, little technical knowledge or interest, and
language difficulties (highly technical topics in hard English).
It seems easier to them to leave things as they are.
Close your SMTP ports to non-European addresses and only allow
connections from address blocks 193/8, 195/8, 62/8 and 213/8.
Do this in a firewall, router or at mail systems.
Go to your suppliers and get machines delivered so that open
relaying is not the default.
Novell came with a tool. This is a good start.
Next step could be to bundle patches in a shell script. This needs
support and is not trivial.
Radical non-trivial solution for customers with open relay, set up a
LINUX box in front of their mailer to do management.
Interesting document: http://spam.geht.net/
The chair asks the attendees to find hard evidence of what products
are the most common in an open relay.
Old Sun software is in common use, but there may be others.