IETF RUN Working Group Sally Hambridge draft-ietf-run-spew-00.txt Intel Corp. DON'T SPEW A Set of Guidelines for Mass Unsolicited Mailings and Postings Abstract This document provides explains why mass unsolicited electronic mail messages are not useful in the Internetworking community. It gives a set of guidelines for dealing with unsolicited mail for users, for system administrators, news administrators, and mailing list managers. It also makes suggestions Internet Service Providers might follow. Status of This Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Comments on this draft should be sent to ietf-run@mailbag.intel.com. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). 1. Introduction The Internet's origins in the Research and Education communities played an important role in the foundation and formation of Internet culture. This culture defined rules for network etiquette (netiquette) and communication based on the Internet's being relatively off-limits to commercial enterprise. Hambridge Expires: 17Jun97 [Page 1] Internet Draft DON'T SPEW March 1997 As we know, this all changed when US Government was no longer the primary funding body for the US Internet, when the Internet truly went global, and when all commercial enterprises were allowed to obtain Fully Qualified Domain Names. Internet culture had become deeply embedded in the protocols the network used. Although the social context has changed, the technical limits of the Internet protocols still require a person to enforce certain limits on resource usage for the 'Net to function effectively. Strong authentication was not built into the News and Mail protocols. There was no end-to-end cost accounting and/or cost recovery. Bandwidth is shared among all traffic without resource reservation (although this is changing). Unfortunately for all of us, the culture so carefully nurtured through the early years of the Internet was not fully transferred to all those new entities hooking into the bandwidth. Many of those entities believe they have found a paradise of thousands of potential customers each of whom is desparate to learn about stunning new business opportunities. Alternatively, some of the new netizens believe all people should at least hear about the one true religion or political party or process. While there may be thousands of folks desparate for any potential message, mass mailings or Netnews postings are not at all appropriate on the 'Net. This document explains why mass unsolicited email and Netnews posting (aka spam*) is bad, what to do if you get it, what webmasters, postmasters, and news admins can do about it, and how an Internet Service Provider might respond to it. 2. Why Mass Mailing Is Bad In the world of paper mail we're all used to receiving unsolicited circulars, advertisements, and catalogs. Generally we don't object to this - we look at what we find of interest, and we discard/recycle the rest. Why should receiving unsolicited email be any different? The answer is that the cost model is different. In the paper world, the cost of mailing is borne by the sender. The sender must pay for the privilege of creating the ad and the cost of mailing it to the recipient. In the world of electronic communications, the recipient bears the majority of the cost. Yes, the sender still has to compose the message and the sender also has to pay for Internet connectivity. However, the receipient ALSO has to pay for Internet connectivity and possibly also connect time charges, so for electronic mailings the recipient is expected to help share the cost of the mailing. Hambridge Expires: 17Jun97 [Page 2] Internet Draft DON'T SPEW March 1997 Of course, this cost model is very popular with those looking for cheap methods to get their message out. By the same token, it's very unpopular with people who have to pay for their messages just to find that their mailbox is full of junk mail. Consider this: if you had to pay for receiving paper mail would you pay for junk mail? But what about free speech? Doesn't the US Constitution guarantee the ability to say whatever one likes? First, the US Constitution is law only in the US, and the Internet is global. There are places your mail will reach where free speech is not a given. Second, the US Constitution does NOT guarantee one the right to say whatever one likes. The example of yelling "FIRE" in a crowded theater comes to mind. Finally, there are laws which govern other areas of electronic communication, namely the "junk fax" laws. Although these have yet to be applied to electronic mail they are still an example of the "curbing" of "free speech." Free speech does not, in general, require other people to spend their money and resources to deliver your message. The crux of sending large amounts of unsolicited mail and news is not a legal issue so much as an ethical one. If you are tempted to send unsolicited "information," ask yourself these questions: "Whose resources is this using?", "Did they consent in advance?", "What would happen if everybody (or a very large number of people) did this?", "How would I feel if 90% of the mail I received was advertisements for stuff I didn't want?" Finally, sending large volumes of unsolicited email or posting voluminous numbers of Netnews postings is just plain rude. Consider the following analogy: suppose you discovered a large party going on in a house on your block. Uninvited, you appear, then join each group in conversation, force your way in, SHOUT YOUR OPINION of whatever you happen to be thinking about at the time, drown out all other conversaion, then scream "discrimination" when folks tell you you're being rude. The rules are simple: Don't Spew. To continue the party analogy, if instead of forcing your way into each group you stood on the outskirts a while and listened to the conversation. Then you gradually began to add comments relevant to the discussion. Then you began to tell people your opinion of the issues they were discussng, they would probably be less inclined to look badly on your intrusion. Note that you are still intruding. And that it would still be considered rude to offer to sell products or services to the guests even if the products and services were relevant to the discussion. You are in the wrong venue and you need to find the right one. Hambridge Expires: 17Jun97 [Page 3] Internet Draft DON'T SPEW March 1997 3. ACK! I've Been Spammed - Now What? It's unpleasant to receive mail which you do not want. It's even more unpleasant if you're paying for connect time to download it. And it's really unpleasant to receive mail on topics which you find offensive. Now that you're good and mad, what's an appropriate response? First, send the mail back to the originator objecting to your being on the mailing-list. (Check the headers carefully to find this information. Get your system administrator to help you if you do not know how to do this.) Be aware, though, that many folks who develop these lists take "Please desist" messages and throw them away. Alternatively, they take these messages and create mailing-lists to sell to others. Still, it is a way to register your disapproval. Second, be sure to carbon copy the postmaster of the offending site. You can do this by sending mail to: postmaster@offending-site.domain. Again, many organizations which send unsolicited mail have this address aliased to go nowhere. But it can't hurt. Third, cc your own postmaster. Your organization may have the ability to block incoming unwanted mail, so it doesn't hurt to let your postmaster know you're getting unwanted mail. This is especially true if the mail is offensive. Fourth, if your personal mailer allows you to write rules, write a rule which sends mail from the originator of the unwanted mail to the trash. That way, although you still have to pay to download it, you won't have to read it! 4. Help For Beleaguered Admins As a system administrator, news administrator, local Postmaster, or mailing-list administrator, your users will come to you for help in dealing with unwanted mail and posts. First, find out what your institution's policy is regarding unwanted/unsolicited mail. It is possible that it won't do anything for you, but it is also possible to use it to justify blocking a domain which is sending particularly offensive mail to your users. If you don't have a clear policy, it would be really useful to create one. If you are a mailing-list administrator, make sure your mailing-list charter forbids off-topic posts which advertise scams and unsolicited ads. If you have the capability (are running a mail transfer agent which allows it) consider blocking well known offending sites from ever getting mail into your site. However, it is a well-known problem Hambridge Expires: 17Jun97 [Page 4] Internet Draft DON'T SPEW March 1997 that offenders create domains more quickly than postmasters can block them. Also, help your users learn enough about their mailers so that they can write rules to filter their own mail. Use well-known Internet tools, such as whois and traceroute to find which ISP is serving your problem site. Notify the postmaster/abuse address that they have an offender. Be sure to pass on all header information in your messages to help them with tracing down the offender. If they have a policy against using their service to post unsolicited mail they will need more than just your say-so that there is a problem. Also, the "originating" site may be a victim of the offender as well. It's not unknown for those sending this kind of mail to bounce their mail through dial-up accounts, or off unprotected mail servers at other sites. Use caution in your approach to those who look like the offender. Participate in mailing lists and news groups which discuss unsolicited mail/posts and the problems associated with it. News.admin.net-abuse.announce is probably the most well-known of these. 5. What's an ISP To Do As an ISP, you first and foremost should decide what your stance against unsolicited mail and posts should be. If you decide not to tolerate unsolicited mail, write a clear acceptable use policy which states your position and deliniates consequences for abuse. If you state that you will not tolerate use of your resource for unsolicited mail/posts, and that the consequence will be loss of service, you should be able to cancel offending accounts relatively quickly. (after verifying that the account really IS being mis-used). If you have downstreaming arrangements with other providers, you should make sure they are aware of any policy you set. Likewise, you should be aware of your upstream providers' policies. Consider limiting access for dialup accounts so they cannot be used by those who spew. Make sure your mail servers aren't open for mail to be bounced off them. Make sure your mail transfer agents are the most up-to-date version (which passes security audits) of the software. Educate your users about how to react to spew and spewers. Make sure instructions for writing rules for mailers are clear and available. Support their efforts to deal with unwanted mail at the local level to take some of the burden from your sys admins. Hambridge Expires: 17Jun97 [Page 5] Internet Draft DON'T SPEW March 1997 Make sure you have an address for abuse complaints. If complainers can routinely send mail to "abuse@BigISP.com" and you have someone assigned to read that mail, workflow will be much smoother. You'll also be counted as good Internetworking citizens. 6. Security There are no security considerations. 7. Acknowledgements Thanks for help from the IETF-RUN working group, and also to all the spew-fighters. Specific thanks are due to J.D. Falk, whose very helpful Anti-spam FAQ proved helpful. Thanks are also do to the vigilence of Scott Hazelton Mueller and Paul Vixie, who run www.vix.com/spam, the Anti-spam* web site. * Spam (R) is a registered trademark of a meat product made by Hormel. Author Information Sally Hambridge Intel Corp, SC11-321 2200 Mission College blvd Santa Clara, CA 95052 sallyh@ludwig.sc.intel.com Hambridge Expires: 17Jun97 [Page 6]