[anti-spam-wg] [Fwd: FW: [technical] RIPE anti-abuse draft]
To: RIPE anti-spam WG anti-spam-wg@localhost
From: Dave Crocker dhc@localhost
Date: Mon, 20 Nov 2006 12:32:52 -0800
Organization: Brandenburg InternetWorking
I forwarded a reference to the Last Called draft
<http://www.ripe.net/ripe/draft-documents/bcp-abuse.html> to the technical
subcommittee of MAAWG <http://maawg.org>.
MAAWG membership has become relatively diverse, although still tending towards
larger operators and senders. However the current diversity is enough to
produce differing opinions during lots of discussions... Always a good test of
honest representation and debate.
It can only help to have drafts get circulated widely among interested parties,
so I took the Last Call request as an opportunity to solicit MAAWG folks. (In
fact, there is about to be a draft *from* MAAWG that will find its way to RIPE,
and similar groups, for review prior to publication.)
Attached is a response from one of the active participants. For clarity, I
should note that his response is from the Cox team and not from MAAWG. I should
further note that I am relaying it without comment on its content.
-------- Original Message --------
Subject: FW: [technical] RIPE anti-abuse draft
Date: Mon, 20 Nov 2006 15:05:25 -0500
selected comments from our abuse department.
In general the guide seems written on the assumption that the customers
are commercial in nature and that they're sending email intentionally.
Most of our complaints are residential customers and/or trojan infections.
Here are a couple of particular points that stand out:
- - The ISP MUST ensure that the alleged abuser is NOT informed of the
identity of those who are reporting the abuse, except with their
That's an excellent principle, but it can't always work. In particular,
there are cases where a customer runs a legitimate mailing list, and the
complainant simply forgets they've signed up. They continually send
spam complaints against the customer, and the only fix is to let the
customer know who the complainant is so they can be removed from the
list. Every legitimate large-scale mailing list gets at least a few
false positives like that.
- - If a second origination of UBE by the customer occurs within six
months the ISP MUST terminate the customer's account and all services
connected with it. The loss of the sender's connection to the Internet
from a particular e-mail address is an important sanction in combating UBE.
Terminating a customer on a second spam complaint is somewhat
unrealistic. First contact may fail for a number of reasons. For
instance, many customers don't check their mailboxes, and they never see
the first warning. We find that a "three strikes" policy makes more
sense: warn, temporary suspension, termination. In practice, we
actually suspend a customer multiple times before termination. E.g. in
the case of a trojan infection, we'll typically give the customer more
than one chance to clean it up. In extreme cases, we can take drastic
measures such as requiring a harddrive format before reactivation, and
that usually prevents us from having to terminate a customer completely.