INFORMATIONAL

Network Working Group S. Hambridge Request for Comments: 2635 INTEL FYI: 35 A. Lunde Category: Informational Northwestern University June 1999 DON'T SPEW A Set of Guidelines for Mass Unsolicited Mailings and Postings (spam*) Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract This document explains why mass unsolicited electronic mail messages are harmful in the Internetworking community. It gives a set of guidelines for dealing with unsolicited mail for users, for system administrators, news administrators, and mailing list managers. It also makes suggestions Internet Service Providers might follow. 1 . Introduction Hambridge & Lunde Informational [Page 1]

RFC 2635 DON'T SPEW June 1999 2 . What is Spam*? Hambridge & Lunde Informational [Page 2]

RFC 2635 DON'T SPEW June 1999 3 . Why Mass Mailing is Bad Hambridge & Lunde Informational [Page 3]

RFC 2635 DON'T SPEW June 1999 Hambridge & Lunde Informational [Page 4]

RFC 2635 DON'T SPEW June 1999 1] indicate that unsolicited mail/posts seems to be following the same path of exponential growth as the Internet as a whole [2]. This is NOT encouraging, as this kind of increase puts a strain on servers, connections, routers, and the bandwidth of the Internet as a whole. On a per person basis, unsolicited mail is also on the increase, and individuals also have to bear the increasing cost of increasing numbers of unsolicited and unwanted mail. People interested in hard numbers may want to point their web browsers to http://www.techweb.com/se/directlink.cgi?INW19980504S0003 where Internet Week reports what spam costs. Finally, sending large volumes of unsolicited email or posting voluminous numbers of Netnews postings is just plain rude. Consider the following analogy: Suppose you discovered a large party going on in a house on your block. Uninvited, you appear, then join each group in conversation, force your way in, SHOUT YOUR OPINION (with a megaphone) of whatever you happen to be thinking about at the time, drown out all other conversation, then scream "discrimination" when folks tell you you're being rude. To continue the party analogy, suppose instead of forcing your way into each group you stood on the outskirts a while and listened to the conversation. Then you gradually began to add comments relevant to the discussion. Then you began to tell people your opinion of the issues they were discussing; they would probably be less inclined to look badly on your intrusion. Note that you are still intruding. And that it would still be considered rude to offer to sell products or services to the guests even if the products and services were relevant to the discussion. You are in the wrong venue and you need to find the right one. Lots of spammers act as if their behavior can be forgiven by beginning their messages with an apology, or by personalizing their messages with the recipient's real name, or by using a number of ingratiating techniques. But much like the techniques used by Uriah Heep in Dickens' _David Copperfield_, these usually have an effect opposite to the one intended. Poor excuses ("It's not illegal," "This will be the only message you receive," "This is an ad," "It's easy to REMOVE yourself from our list") are still excuses. Moreover, they are likely to make the recipient MORE aggravated rather than Hambridge & Lunde Informational [Page 5]

RFC 2635 DON'T SPEW June 1999 Hambridge & Lunde Informational [Page 6]

RFC 2635 DON'T SPEW June 1999 Section 3). Third, even if the two previous things do not happen, very probably your mail will be directed to the computer equivalent of a black hole (the bit-bucket). As of the writing of this document, there are several pieces of pending legislation in several jurisdictions about the sending of unsolicited mail and also about forging headers. If forging of headers should become illegal, then responding to the sender is less risky and may be useful. Certainly we advocate communicating to the originator (as best as you can tell) to let them know you will NOT be buying any products from them as you object to the method they have chosen to conduct their business (aka spam). Most responses through media other than electronic mail (mostly by those who take the time to phone included "800" (free to calling party in the U.S.) phone numbers) have proved somewhat effective. You can also call the business the advertisement is for, ask to speak to someone in authority, and then tell them you will never buy their products or use their services because their advertising mechanism is spam. Next, you can carbon copy or forward the questionable mail messages or news postings to your postmaster. You can do this by sending mail "To: Postmaster@your-site.example." Your postmaster should be an expert at reading mail headers and will be able to tell if the originating address is forged. He or she may be able to pinpoint the real culprit and help close down the site. If your postmaster wants to know about unsolicited mail, be sure s/he gets a copy, including headers. You will need to find out the local policy and comply. Hambridge & Lunde Informational [Page 7]

RFC 2635 DON'T SPEW June 1999 3] which is a somewhat fuzzy measure of the interactions of the number of posts and number of groups. This is fuzzy purposefully, so that people will not post a number of messages just under the index and still "get away with it." And as noted above, the cancel messages have reached such a volume now that a lot of News administrators are beginning to write filters rather than send cancels. Still spam gets through, so what can a concerned netizen do? If there is a group moderator, make sure s/he knows that off-topic posts are slipping into the group. If there is no moderator, you could take the same steps for dealing with news as are recommended for mail with all the same caveats. A reasonable printed reference one might obtain has been published by O'Reilly and Associates, _Stopping Spam_, by Alan Schwartz and Simson Garfinkel [4]. This book also has interesting histories of spammers such as Cantor and Siegel, and Jeff Slaton. It gives fairly clear instructions for filtering mail and news. Hambridge & Lunde Informational [Page 9]

RFC 2635 DON'T SPEW June 1999 5 . Help for Beleaguered Admins http://www.sendmail.org/ under the "Anti-Spam" heading. If you run a firewall at your site, it can be configured in ways to discourage spam. For example, if your firewall is a gateway host that itself contains an NNTP server, ensure that it is configured so it does not allow access from external sites except your news feeds. If your firewall acts as a proxy for an external news-server, ensure that it does not accept NNTP connections other than from your internal network. Both these potential holes have recently been exploited by spammers. Ensure that email messages generated within your domain have proper identity information in the headers, and that users cannot forge headers. Be sure your headers have all the correct information as stipulated by RFC 822 [5] and RFC 1123 [6]. If you are running a mailing-list, allowing postings only by subscribers means a spammer would actually have to join your list before sending spam messages, which is unlikely. Make sure your charter forbids any off-topic posts. There is another spam-related problem with mailing-lists which is that spammers like to retaliate on those who work against them by mass-subscribing their enemies to mailing-lists. Your mailing-list software should require confirmation of the subscription, and only then should the address be subscribed. Hambridge & Lunde Informational [Page 10]

RFC 2635 DON'T SPEW June 1999 Hambridge & Lunde Informational [Page 11]

RFC 2635 DON'T SPEW June 1999 6 . What's an ISP to Do RFC 2142, _Mailbox Names for Common Services, Roles and Functions._ [7]. Finally, write your contracts and terms and conditions in such language that allows you to suspend service for offenders, and so that you can impose a charge on them for your costs in handling the complaints their abuse generates and/or terminating their account and cleaning up the mess they make. Some large ISPs have found that they can fund much of their abuse prevention staff by imposing such charges. Make sure all your customers sign the agreement before their accounts are activated. There is a list of "good" Acceptable Use Policies and Terms of Service at: http://spam.abuse.net/goodsites/index.html. Legally, you may be able to stop spammers and spam relayers, but this is certainly dependent on the jurisdictions involved. Potentially, the passing of spam via third party computers, especially if the Hambridge & Lunde Informational [Page 12]

RFC 2635 DON'T SPEW June 1999 7 . Security Considerations 2] can help define an escalation procedure if your site does not have one defined. Lower levels of network security interact with the ability to trace spam via logs or message headers. Measures to stop various sorts of DNS and IP spoofing can make this information more reliable. Spammers can and will exploit obvious security weaknesses, especially in NNTP servers. This can lead to denial of service, either from the sheer volume of posts, or as a result of action taken by upstream providers. 8 . Acknowledgments section 5, Karl for the legal considerations. Andrew Gierth was very helpful with Netnews spam considerations. And thanks to Gary Malkin for proofing and formatting. Hambridge & Lunde Informational [Page 13]

RFC 2635 DON'T SPEW June 1999 10 . Appendix - How to Track Down Spammers Hambridge & Lunde Informational [Page 15]

RFC 2635 DON'T SPEW June 1999 Hambridge & Lunde Informational [Page 16]

RFC 2635 DON'T SPEW June 1999 Hambridge & Lunde Informational [Page 17]