IETF RUN Working Group                           Sally Hambridge / Intel
draft-ietf-run-spew-03.txt        Albert Lunde / Northwestern University
                                                              March 1998


                               DON'T SPEW
                A Set of Guidelines for Mass Unsolicited
                     Mailings and Postings (spam*)


Abstract

   This document explains why mass unsolicited electronic mail
   messages are harmful in the Internetworking community.  It gives
   a set of guidelines for dealing with unsolicited mail for users,
   for system administrators, news administrators, and mailing list
   managers.  It also makes suggestions Internet Service Providers
   might follow.


Status of This Memo

   This document is an Internet Draft.  Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its Areas,
   and its Working Groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six
   months. Internet Drafts may be updated, replaced, or obsoleted
   by other documents at any time.  It is not appropriate to use
   Internet Drafts as reference material or to cite them other than
   as a "working draft" or "work in progress."

   Please check the I-D abstract listing contained in each Internet Draft
   directory to learn the current status of this or any other Internet
   Draft.

   It is intended that this document will be submitted to the IESG for
   consideration as an FYI document.  Distribution of this document is
   unlimited.


1.  Introduction

   The Internet's origins in the Research and Education communities
   played an important role in the foundation and formation of Internet
   culture.  This culture defined rules for network etiquette (netiquette)
   and communication based on the Internet's being relatively off-limits



Hambridge & Lunde           Expires: 9Sep98                     [Page 1]

Internet Draft             Make Enemies Fast                  March 1998


   to commercial enterprise.

   As we know, this all changed when U.S. Government was no longer the
   primary funding body for the U.S. Internet, when the Internet truly
   went global, and when all commercial enterprises were allowed to
   obtain Fully Qualified Domain Names.  Internet culture had become
   deeply embedded in the protocols the network used.  Although the
   social context has changed, the technical limits of the Internet
   protocols still require a person to enforce certain limits on resource
   usage for the 'Net to function effectively.  Strong authentication was
   not built into the News and Mail protocols.  The only thing that is
   saving the Internet from congestion collapse is the inclusion of TCP
   backoff in almost all of the TCP/IP driver code on the Internet.
   There is no end-to-end cost accounting and/or cost recovery.
   Bandwidth is shared among all traffic without resource
   reservation (although this is changing).

   Unfortunately for all of us, the culture so carefully nurtured through
   the early years of the Internet was not fully transferred to all those
   new entities hooking into the bandwidth.  Many of those entities
   believe they have found a paradise of thousands of potential customers
   each of whom is desperate to learn about stunning new business
   opportunities.  Alternatively, some of the new netizens believe all
   people should at least hear about the one true religion or political
   party or process.  And some of them know that almost no one wants to
   hear their message but just can't resist how inexpensive the net can
   be to use.

   While there may be thousands of folks desperate for any potential
   message, mass mailings or Netnews postings are not at all appropriate
   on the 'Net.  This document explains why mass unsolicited email and
   Netnews posting (aka spam) is bad, what to do if you get it, what
   webmasters, postmasters, and news admins can do about it, and how an
   Internet Service Provider might respond to it.


2.  What Is Spam*?

   The term "spam" as it is used to denote mass unsolicited mailings or
   netnews postings derives from a Monty Python sketch set in a movie/tv
   studio cafeteria.  During that sketch, the word "spam" takes over each
   item offered on the menu until the entire dialogue consists of nothing
   but "spam spam spam spam spam spam and spam."  This so closely
   resembles what happens when mass unsolicited mail and posts take over
   mailing lists and netnews groups that the term has been pushed into
   common usage in the Internet community.

   When unsolicited mail is sent to a mailing list and/or news group it



Hambridge & Lunde           Expires: 9Sep98                     [Page 2]

Internet Draft             Make Enemies Fast                  March 1998


   frequently generates more hate mail to the list or group or apparent
   sender by people who do not realize the true source of the message.
   If the mailing contains suggestions for removing your name from a
   mailing list, 10s to 100s of people will respond to the list
   with "remove" messages meant for the originator.  So, the original
   message (spam) creates more unwanted mail (spam spam spam spam), which
   generates more unwanted mail (spam spam spam spam spam spam and spam).
   Similar occurrences are perpetrated in newsgroups, but this is held
   somewhat in check by "cancelbots" (programs which cancel postings)
   triggered by mass posting.  Recently, cancelbots have grown less in
   favor with those administering News servers since the cancelbots are
   now generating the same amount of traffic as spam.  Even News admins
   are beginning to use filters, demonstrating that spam spam spam spam
   spam spam and spam is a monumental problem.


3.  Why Mass Mailing is Bad

   In the world of paper mail we're all used to receiving unsolicited
   circulars, advertisements, and catalogs.  Generally we don't object to
   this - we look at what we find of interest, and we discard/recycle the
   rest.  Why should receiving unsolicited email be any different?

   The answer is that the cost model is different.  In the paper world,
   the cost of mailing is borne by the sender.  The sender must pay for
   the privilege of creating the ad and the cost of mailing it to the
   recipient.  An average paper commercial mailing in the U.S.  ends up
   costing about $1.00 per addressee.  In the world of electronic
   communications, the recipient bears the majority of the cost.  Yes,
   the sender still has to compose the message and the sender has to pay
   for Internet connectivity.  However, the recipient ALSO has to pay for
   Internet connectivity and possibly also connect time charges and for
   disk space, so for electronic mailings the recipient is expected to
   help share the cost of the mailing.  Bulk Internet mail from the U.S.
   ends up costing the sender only about 1/100th of a cent per address;
   or FOUR ORDERS of magnitude LESS!

   Of course, this cost model is very popular with those looking for
   cheap methods to get their message out.  By the same token, it's very
   unpopular with people who have to pay for their messages just to find
   that their mailbox is full of junk mail.  Consider this: if you had to
   pay for receiving paper mail would you pay for junk mail?

   Frequently spammers indulge in unethical behavior such as using mail
   servers which allow mail to be relayed to send huge amounts of
   electronic solicitations.  Or they forge their headers to make it look
   as if the mail originates from a different domain.  These kinds of
   people don't care that they're intruding into a personal or business



Hambridge & Lunde           Expires: 9Sep98                     [Page 3]

Internet Draft             Make Enemies Fast                  March 1998


   mailbox nor do they care that they are using other people's resources
   without compensating them.

   The huge cost difference has other bad effects.  Because even a very
   cheap paper mailing is going to cost tens of (U.S.) cents, there is a
   real incentive to send only to those really likely to be interested.
   So paper bulk mailers frequently pay a premium to get high quality
   mailing lists, carefully prune out bad addresses and pay for services
   to update old addresses.  Bulk email is so cheap that hardly anyone
   sending it bothers to do any of this.  As a result, the chance that
   the receiver is actually interested in the mail is very, very, very
   low.

   Doesn't the U.S. Constitution guarantee the ability to say whatever
   one likes?  First, the U.S. Constitution is law only in the U.S., and
   the Internet is global.  There are places your mail will reach where
   free speech is not a given.  Second, the U.S. Constitution does NOT
   guarantee one the right to say whatever one likes.  In general, the
   U.S. Constitution refers to political freedom of speech and not to
   commercial freedom of speech. Finally, there are laws which govern
   other areas of electronic communication, namely the "junk fax" laws.
   Although these have yet to be applied to electronic mail they are
   still an example of the "curbing" of "free speech."  Free speech does
   not, in general, require other people to spend their money and
   resources to deliver or accept your message.

   Most responsible Internet citizens have come to regard unsolicited
   mail/posts as "theft of service".  Since the recipient must pay for
   the service and for the most part the mail/posts are advertisements of
   unsolicited "stuff" (products, services, information) those receiving
   it believe that the practice of making the recipient pay constitutes
   theft.

   The crux of sending large amounts of unsolicited mail and news is not
   a legal issue so much as an ethical one.  If you are tempted to send
   unsolicited "information" ask yourself these questions: "Whose
   resources is this using?"  "Did they consent in advance?"  "What would
   happen if everybody (or a very large number of people) did this?" "How
   would you feel if 90% of the mail you received was advertisements for
   stuff you didn't want?" "How would you feel if 95% of the mail you
   received was advertisements for stuff you didn't want?"  "How would
   you feel if 99% of the mail you received was advertisements for stuff
   you didn't want?"

   Although hard numbers on the volume and rate of increase of spam are
   not easy to find, seat-of-the-pants estimates from the people on the
   spam mailing list [1] indicate that unsolicited mail/posts seems to be
   following the same path of exponential growth as the Internet as a



Hambridge & Lunde           Expires: 9Sep98                     [Page 4]

Internet Draft             Make Enemies Fast                  March 1998


   whole [2].  This is NOT encouraging, as this kind of increase puts a
   strain on servers, connections, routers, and the bandwidth of the
   Internet as a whole.  On a per person basis, unsolicited mail is also
   on the increase, and individuals also have to bear the increasing cost
   of increasing numbers of unsolicited and unwanted mail.  People
   interested in hard numbers may want to point their web browsers to
   www.junkproof.com where the webmaster there lists the number of spam
   messages he has filtered away from his users.

   Finally, sending large volumes of unsolicited email or posting
   voluminous numbers of Netnews postings is just plain rude.  Consider
   the following analogy: suppose you discovered a large party going on
   in a house on your block.  Uninvited, you appear, then join each group
   in conversation, force your way in, SHOUT YOUR OPINION (with a
   megaphone) of whatever you happen to be thinking about at the time,
   drown out all other conversation, then scream "discrimination" when
   folks tell you you're being rude.

   To continue the party analogy, suppose instead of forcing your way
   into each group you stood on the outskirts a while and listened to the
   conversation.  Then you gradually began to add comments relevant to
   the discussion.  Then you began to tell people your opinion of the
   issues they were discussing; they would probably be less inclined to
   look badly on your intrusion.  Note that you are still intruding.  And
   that it would still be considered rude to offer to sell products or
   services to the guests even if the products and services were relevant
   to the discussion.  You are in the wrong venue and you need to find
   the right one.

   Lots of spammers believe that they can be forgiven their behavior by
   beginning their messages with an apology, or by personalizing their
   messages with the recipient's real name, or by using a number of
   ingratiating techniques.  But much like the techniques used by Uriah
   Heep in Dicken's _David Copperfield_, these usually have an effect
   opposite to the one intended.  Poor excuses ("It's not illegal," "This
   will be the only message you receive," "This is an ad," "It's easy to
   REMOVE yourself from our list") are still excuses.  Moreover, they are
   likely to make the recipient MORE aggravated rather than less
   aggravated.

   In particular, there are two very severe problems with believing that
   a "remove" feature to stop future mail helps: (1) Careful tests have
   been done with sending remove requests for "virgin" email accounts
   (that have never been used anywhere else).  In over 80% of the cases,
   this resulted in a deluge of unsolicited email, although usually from
   other sources than the one the remove was sent to.  In other words, if
   you don't like unsolicited mail, you should think carefully before
   using a remove feature because the evidence is that they result in



Hambridge & Lunde           Expires: 9Sep98                     [Page 5]

Internet Draft             Make Enemies Fast                  March 1998


   more mail not less.  (2) Even if they did work, it would not stop lots
   of new unsolicited email every day from new businesses that hadn't
   mailed before.


4a. ACK!  I've Been Spammed - Now What?

   It's unpleasant to receive mail which you do not want.  It's even more
   unpleasant if you're paying for connect time to download it.  And it's
   really unpleasant to receive mail on topics which you find offensive.
   Now that you're good and mad, what's an appropriate response?

   First, you always have the option to delete it and get on with your
   life.  This is the easiest and safest response.  It does not guarantee
   you won't get more of the same in the future, but it does take care of
   the current problem.

   Second, you may consider sending the mail back to the originator
   objecting to your being on the mailing-list, but we recommend against
   this.  First, a lot of spammers disguise who they are and where their
   mail comes from by forging the mail headers.  Unless you are very
   experienced at reading headers discovering the true origin of the mail
   will probably prove difficult.  Although you can engage your local
   support staff to help you with this, they may have much higher
   priorities (such as setting up site-wide filters to prevent spam from
   entering the site).  Second, responding to this email will simply
   verify your address as valid and allow them to sell your address to
   other spammers.  (As was mentioned above in Section 3).  Third, even
   if the two previous things do not happen, very probably your mail will
   be directed to the bit-bucket!

   Certainly we advocate sending mail back to the originator (as best as
   you can tell) to let them know you will NOT be buying any products
   from them as you object to the method they have chosen to conduct
   their business (aka spam).

   Next, you can carbon copy or forward the questionable mail messages or
   news postings to the postmaster of the offending site.  You can do
   this by sending mail To: Postmaster@offending-site.example.  Good
   sites are now using an "abuse" address for people to complain about
   spam, so you can send complaints about unsolicited mail and posts to
   abuse@offending-site.example.  Many organizations which send
   unsolicited mail have this address aliased to go nowhere, but it can't
   hurt to try.

   As mentioned above, much spam uses forged headers, and unless you are
   experienced at reading the headers it is hard to tell where the mail
   was really sent from.  Don't assume that the recipient of your wrath



Hambridge & Lunde           Expires: 9Sep98                     [Page 6]

Internet Draft             Make Enemies Fast                  March 1998


   was involved with or supports the spam.  If your message is polite,
   often they will help you identify the actual perpetrator.  Realize
   that they are probably getting a large number of complaints, and if
   yours is particularly nice, they may be also, but don't be surprised
   if you get a canned response either.

                             *** IMPORTANT ***

   Wherever you send a complaint, be sure to include the full message
   headers.  (Most mail and news programs don't display the full headers
   by default.) For mail it is especially important to show the Received:
   headers; for Usenet news, the Path: header, as these normally show the
   route by which the mail or news was delivered.  Without them, it's
   impossible to even begin to tell where the message originated.  See
   the appendix for an example of a mail header.

   Everything above regarding complaints to the offending site can be
   applied equally to the Service Provider, if you can determine who
   their ISP actually is.  This is probably the most effective complaint
   you can make: If the Service Provider has Terms and Conditions which
   have been violated, they can boot the offender from their network.
   Much of the success in fighting the spam war has been the result of
   very dedicated people complaining to Internet Service Providers about
   offenders.  At the very least, the ISP who appears to be their Service
   Provider, if not actually, is probably running a mail server without
   relay blocks, and are thus an open window for spam.  Getting them to
   close it will help make it that much harder for spammers to hide.

   Your own organization or your local Internet Service Provider may have
   the ability to block unwanted mail at their mail relay machines.  If
   your postmaster wants to know about unsolicited mail, be sure s/he
   gets a copy, including headers.  You will need to find out the local
   policy and comply.

   If your personal mailer allows you to write rules, write a rule which
   sends mail from the originator of the unwanted mail to the trash.
   That way, although you still have to pay to download it, you won't
   have to read it!

   There is lively and ongoing debate about the validity of changing
   one's email address in a Web Browser in order to have Netnews posts
   and email look as if it is originating from some spot other than where
   it does originate.  The reasoning behind this is that web email
   address harvesters will not be getting a real address when it
   encounters these.  There is reason on both sides of this debate: If
   you change your address, you will not be as visible to the harvesters,
   but if you change your address, real people who need to contact you
   will be cut off as well.  Also, if you are using the Internet through



Hambridge & Lunde           Expires: 9Sep98                     [Page 7]

Internet Draft             Make Enemies Fast                  March 1998


   an organization such as a company, the company may have policies about
   "forging" addresses - even your own!  Most people agree that the
   consequences of changing your email address on your browser or even in
   your mail headers is fairly dangerous and will nearly guarantee your
   mail goes into a black hole unless you are very sure you know what you
   are doing.  (Here there be dragons.)

   Finally, DO NOT respond by sending back large volumes of unsolicited
   mail.  Two wrongs do not make a right; do not become your enemy; and
   take it easy on the network.

   There is a web site called www.abuse.net which allows you to register,
   then send your message to the name of the offending-domain@abuse.net,
   which will re-mail your message to the best reporting address for the
   offending domain.  The site contains good tips for reporting abuse
   netnews or email messages.  It also has some automated tools you may
   download to help you filter your messages.  Also check CIAC bulletin
   I-005 at:

      http://ciac/llnl.gov/ciac/bulletins/i-005a.shtml
   or
      http://spam.abuse.net/spam/tools/mailblock.html.

   Check the Appendix for a detailed explanation of tools and methodology
   to use when trying to chase down a spammer.

4b. There's a Spam in My Group!

   Netnews is also subject to spamming.  Here, several factors help to
   mitigate against the propagation of spam in news, although they don't
   entirely solve the problem.  Newsgroups and mailing lists may be
   moderated, which means that a moderator approve all mail/posts.  If
   this is the case, the moderator usually acts as a filter to removed
   unwanted and off-topic posts/mail.

   In Netnews, there are programs which detect posts which have been sent
   to multiple groups or which detect multiple posts >from the same
   source to one group.  These programs cancel the posts.  While these
   work and keep unsolicited posts down, they are not 100% effective and
   spam in newsgroups seems to be growing at an even faster rate than
   spam in mail or on mailing lists.  After all, it's much easier to post
   to a newsgroup for which there are thousands of readers than it is to
   find individual email addresses for all those folks.  Hence the
   development of the "cancelbots" (sometimes called "cancelmoose") for
   Netnews groups.  Cancelbots are triggered when one message is sent to
   a large number of newsgroups or when many small messages are sent (from
   one sender) to the same newsgroup.  In general these are tuned to
   the "Breidbart Index" [3] which is a somewhat fuzzy measure of the



Hambridge & Lunde           Expires: 9Sep98                     [Page 8]

Internet Draft             Make Enemies Fast                  March 1998


   interactions of the number of posts and number of groups.  This is
   fuzzy purposefully, so that people will not post a number of messages
   just under the index and still "get away with it."  And as noted
   above, the cancel messages have reached such a volume now that a lot
   of News administrators are beginning to write filters rather than send
   cancels.  Still, spam gets through, so what can a concerned netizen
   do?

   If there is a group moderator, make sure s/he knows that off-topic
   posts are slipping into the group.  If there is no moderator, you
   could take the same steps for dealing with news as are recommended for
   mail with all the same caveats.


5.  Help For Beleaguered Admins

   As a system administrator, news administrator, local Postmaster, or
   mailing-list administrator, your users will come to you for help in
   dealing with unwanted mail and posts.  First, find out what your
   institution's policy is regarding unwanted/unsolicited mail.  It is
   possible that it won't do anything for you, but it is also possible to
   use it to justify blocking a domain which is sending particularly
   offensive mail to your users.  If you don't have a clear policy, it
   would be really useful to create one.  If you are a mailing-list
   administrator, make sure your mailing-list charter forbids off-topic
   posts. If your internal-only newsgroups are getting spammed from the
   outside of your institution, you probably have bigger problems than
   just spam.

   Make sure that your mail and news transports are configured so that
   you don't inadvertently contribute to the spam problem.  Ensure your
   mail and news transports are configured to reject messages injected by
   parties outside your domain.  Recently misconfigured Netnews servers
   have become subject to hijacking by spammers.  SMTP source routing
   <@relay.host:user@dest.host> is becoming deprecated due to its
   overwhelming abuse by spammers.  You should configure your mail
   transport to reject relayed messages (when neither the sender nor the
   recipient are within your domain).  Your firewall should prohibit SMTP
   (mail) and NNTP (news) connections from clients within your domain to
   outside servers.  If your firewall is a gateway host that itself
   contains an NNTP server ensure that it is configured so it does not
   allow access from external sites except your news feeds.  If your
   firewall acts as a proxy for an external news-server ensure that it
   does not accept NNTP connections other than from your internet
   network.  Both these potential holes have recently been exploited by
   spammers.  Ensure that messages generated within your domain have
   proper identity information in the headers, and users cannot forge
   headers.  Be sure your headers have all the correct information as



Hambridge & Lunde           Expires: 9Sep98                     [Page 9]

Internet Draft             Make Enemies Fast                  March 1998


   stipulated by RFC 822 [4] and RFC 1123 [5].

   If you have the capability (are running a mail transfer agent which
   allows it) consider blocking well known offending sites from ever
   getting mail into your site.  Be careful not to block out sites for
   which you run MX records!  It is a well-known problem that offenders
   create domains more quickly than postmasters can block them.  Also,
   help your users learn enough about their mailers so that they can
   write rules to filter their own mail, or provide rules and kill files
   for them to use.

   There is information about how to "blackhole" netblocks at
   maps.vix.com.  There is information about how to configure sendmail
   available at www.sendmail.org.  Help on these problems is also
   available at spam.abuse.net.

   Use well-known Internet tools, such as whois and traceroute to find
   which ISP is serving your problem site.  Notify the postmaster/abuse
   address that they have an offender.  Be sure to pass on all header
   information in your messages to help them with tracking down the
   offender.  If they have a policy against using their service to post
   unsolicited mail they will need more than just your say-so that there
   is a problem.  Also, the "originating" site may be a victim of the
   offender as well.  It's not unknown for those sending this kind of
   mail to bounce their mail through dial-up accounts, or off unprotected
   mail servers at other sites.  Use caution in your approach to those
   who look like the offender.

   News spammers use similar techniques for sending spam to the groups.
   They have been known to forge headers and bounce posts off "open" news
   machines and remailers to cover their tracks.  During the height of
   the infamous David Rhodes "Make Money Fast" posts, it was not unheard
   of for students to walk away from terminals which were logged in, and
   for sneaky folks to then use their accounts to forge posts.  Much to
   the later embarrassment of both the student and the institution.

   One way to lessen problems is to avoid using mail-to URLs, which allow
   email addresses to be easily harvested by those institutions grabbing
   email addresses off the web.  If you need to have an email address
   prevalent on a web page, consider using a cgi script to generate the
   mailto address.

   Participate in mailing lists and news groups which discuss unsolicited
   mail/posts and the problems associated with it.
   News.admin.net-abuse.misc is probably the most well-known of these.






Hambridge & Lunde           Expires: 9Sep98                    [Page 10]

Internet Draft             Make Enemies Fast                  March 1998


6.  What's an ISP To Do

   As an ISP, you first and foremost should decide what your stance
   against unsolicited mail and posts should be.  If you decide not to
   tolerate unsolicited mail, write a clear acceptable use policy which
   states your position and delineates consequences for abuse.  If you
   state that you will not tolerate use of your resource for unsolicited
   mail/posts, and that the consequence will be loss of service, you
   should be able to cancel offending accounts relatively quickly.
   (Verifying, of course, that the account really IS being mis-used.)  If
   you have downstreaming arrangements with other providers, you should
   make sure they are aware of any policy you set.  Likewise, you should
   be aware of your upstream providers' policies.

   Consider limiting access for dialup accounts so they cannot be used by
   those who spew.  Make sure your mail servers aren't open for mail to
   be bounced off them (except for legitimate users).  Make sure your
   mail transfer agents are the most up-to-date version (which pass
   security audits) of the software.

   Educate your users about how to react to spew and spewers.  Make sure
   instructions for writing rules for mailers are clear and available.
   Support their efforts to deal with unwanted mail at the local level -
   taking some of the burden from your sys admins.

   Make sure you have an address for abuse complaints.  If complainers
   can routinely send mail to "abuse@BigISP.example" and you have someone
   assigned to read that mail, workflow will be much smoother.  Don't
   require people complaining about spam to use some unique local address
   for complaints.  Read and use 'postmaster' and 'abuse'.  We recommend
   adherence to RFC 2142, _Mailbox Names for Common Services, Roles and
   Functions._ [6].

   Finally, write your contracts and terms and conditions in such
   language that allows you to suspend service for offenders.  Make sure
   all your customers sign it before their accounts are activated.

   Legally, you may be able to stop spammers and spam relayers, but this
   is certainly dependent on the jurisdictions involved.  Potentially,
   the passing of spam via third party computers, especially if the
   headers are forged, could be a criminal action depending on the laws
   of the particular jurisdiction(s) involved.  If your site is being
   used as a spam relay, be sure to contact local and national criminal
   law enforcement agencies.  Site operators may also want to consider
   the bringing of civil actions against the spammer for expropriation of
   property, in particular the computer time and network bandwidth.  In
   addition, when a mailing list is involved, there is a potential
   intellectual property rights violation.



Hambridge & Lunde           Expires: 9Sep98                    [Page 11]

Internet Draft             Make Enemies Fast                  March 1998


   There are a few law suits in the courts now which claim spammers
   interfered with and endangered network connectivity.  At least one
   company is attempting to charge spammers for the use of its networks
   (www.kclink.com/spam/).


7.  Security

   Certain actions to stop spamming may cause problems to legitimate
   users of the net. There is a risk that filters to stop spamming will
   unintentionally stop legitimate mail too. Overloading postmasters with
   complaints about spamming may cause trouble to the wrong person,
   someone who is not responsible for and cannot do anything to avoid the
   spamming activity, or it may cause trouble out of proportion to the
   abuse you are complaining about.  Be sure to exercise discretion and
   good judgment in all these cases.  Check your local escalation
   procedure.  The Site Security Handbook [2] can help define an
   escalation procedure if your site does not have one defined.

   Lower levels of network security interact with the ability to trace
   spam via logs or message headers.  Measures to stop various sorts of
   DNS and IP spoofing can make this information more reliable.  Spammers
   can and will exploit obvious security weaknesses, especially in NNTP
   servers.  This can lead to denial of service, either from the sheer
   volume of posts, or as a result of action taken by upstream providers.


8.  Acknowledgements

   Thanks for help from the IETF-RUN working group, and also to all the
   spew-fighters.  Specific thanks are due to J.D. Falk, whose very
   helpful Anti-spam FAQ proved helpful.  Thanks are also due to the
   vigilance of Scott Hazen Mueller and Paul Vixie, who run
   spam.abuse.net/, the Anti-spam web site. Thanks also to Jacob Palme,
   Chip Rosenthal, Karl Auerbach for specific text: Jacob for the
   Security Considerations section, Chip for the configuration
   suggestions in section 5, Karl for the legal considerations.  Andrew
   Gierth was very helpful with Netnews spam considerations.













Hambridge & Lunde           Expires: 9Sep98                    [Page 12]

Internet Draft             Make Enemies Fast                  March 1998


9.  Appendix - How to Track Down Spammers

   In a large proportion of spams today, complaining to the postmaster of
   the site that is the apparent sender of a message will have little
   effect because, either the headers are forged to disguise the source
   of the message, or the sender of the message runs their own
   system/domain, or both.

   As a result, it may be necessary to look carefully at the headers of a
   message to see what parts are most reliable, and/or to complain to the
   second or third-level Internet providers who provide Internet service
   to a problem domain.

   In many cases, getting reports with full headers from various
   recipients of a spam can help locate the source. In extreme cases of
   header forgery, only examination of logs on multiple systems can trace
   the source or a message.

   With only one message in hand, one has to make an educated guess as to
   the source. The following are only rough guidelines.

   In the case of mail messages, "Received:" headers added by systems
   under control of the destination organization are most likely to be
   reliable. You can't trust what the source domain calls itself, but you
   can usually use the source IP address since that is determined by the
   destination domain's server.

   In naive mail forgeries, the "Message-ID:" header may show the first
   SMTP server to handle the message and/or the "Received:" headers may
   all be accurate, but neither can be relied on.  Be especially wary
   when the Received: headers have other headers intermixed.  Normally,
   Received: headers are all together in a block, and when split up, one
   or the other blocks is probably forged.

   In the case of news messages, some part of the Path: header may be a
   forgery; only reports from multiple sites can make this clear.  In
   naive news forgeries, the "NNTP-Posting-Host:" header shows the actual
   source, but this can be forged too.

   If a spam message advertises an Internet server like a WWW site, that
   server must be connected to the network to be usable.  Therefore that
   address can be traced. It is appropriate to complain to the ISP
   hosting a web site advertised in a SPAM.  Even if the origin of the
   spam seems to be elsewhere.  Be aware that the spam could be an attack
   on the advertised site also, however -- the perpetrator knows they'll
   get deluged with complaints and their reputation will be damaged.  Any
   spam with an electronic address is it is suspect because most spammers
   know they're unwelcome and won't make themselves so readily



Hambridge & Lunde           Expires: 9Sep98                    [Page 13]

Internet Draft             Make Enemies Fast                  March 1998


   accessible.

   Some other "seat-of-the-pants" ways to tell if headers are forged: it
   has an X-pmflags: header; it has an X-Advertisement: header; it has a
   Comments: header with the string "Authenticated sender is"; it has a
   NULL Message=ID: (i.e. <>).

   Here is a sample mail header:

   ----

   From friendlymail@209.214.12.258.com Thu Feb 26 20:32:47 1998
   Received: from clio.sc.intel.com by Ludwig.sc.intel.com (4.1/SMI-4.1)
           id AA05377; Thu, 26 Feb 98 20:32:46 PST
   Received: from 209.214.12.258.com (209.214.12.258.com [208.26.102.16])
           by clio.sc.intel.com (8.8.6/8.8.5) with ESMTP id UAA29637
           for ; Thu, 26 Feb 1998 20:33:30 -0800 (PST)
   Received: ok
   X-Sender: promo1@gotosportsbook.com
   X-Advertisement: Click here to be removed.
   Date: Thu, 26 Feb 1998 23:23:03 -0500
   From: Sent By 
   Reply-To: Sent By 
   To: friend@bulkmailer
   Subject: Ad: FREE $50 in Sportsbook & Casino
   X-Mailer: AK-Mail 3.0b [eng] (unregistered)
   Mime-Version: 1.0
   Content-Type: text/plain; charset=us-ascii
   Content-Transfer-Encoding: 7bit
   Sender: friendlymail@aqua.258.com
   Message-Id: 
   Status: R

   ----

   Doing a traceroute on an IP address or DNS address will show what
   domains provide IP connectivity from you to that address.

   Using whois and nslookup, one can try to determine who is
   administratively responsible for a domain.

   In simple cases, a user of a responsible site may be exploiting an
   account or a weakness in dial-up security; in those cases a complaint
   to a single site may be sufficient. However, it may be appropriate to
   complain to more than one domain, especially when it looks like the
   spammer runs their own system.

   If you look at the traceroute to an address, you will normally see a



Hambridge & Lunde           Expires: 9Sep98                    [Page 14]

Internet Draft             Make Enemies Fast                  March 1998


   series of domains between you and that address, with one or more
   wide-area/national Internet Service Providers in the middle and "smaller"
   networks/domains on either end. It may be appropriate to
   complain to the domains nearer the source, up to and including the
   closest wide-area ISP.  However, this is a judgement call.

   If an intermediate site appears to be a known, responsible domain,
   stopping your complaints at this point makes sense.











































Hambridge & Lunde           Expires: 9Sep98                    [Page 15]

Internet Draft             Make Enemies Fast                  March 1998


10.  References

   [1] As reported in messages on the spam@zorch.sf.bay.org (private)
       mailing list in May, 1997.

   [2] Fraser, B. _Site Security Handbook, RFC 2196_,
       Sepetember 1997.  Available via anonymous ftp at
       ftp://ds.internic.net/rfc/rfc2196.txt

   [3] _Current Spam thresholds and guidelines_. Lewis, Chris and Tim Skirvin.
       http:www.uiuc.edu/~tskirvin/spam.html.

   [4] Crocker, D. _Standard for the format of ARPA Internet
       text messages; RFC 0822,_ August, 1982.  Available via anonymous
       ftp at: ftp://ds.internic.net/rfc/rfc822.txt.

   [5] Braden, R.T. _Requirements for Internet hosts - application
       and support; RFC 1123,_ October, 1989.  Available via anonymous
       ftp at: ftp://ds.internic.net/rfc/rfc1123.txt.

   [6] Crocker, D. _Mailbox Names for Common Services, Roles
       and Functions; RFC 2142,_ May, 1997.  Available via anonymous
       ftp at: ftp://ds.internic.net/rfc/rfc2142.txt.


Authors' Addresses

       Sally Hambridge
       Intel Corp, SC11-321
       2200 Mission College blvd
       Santa Clara, CA 95052
       sallyh@ludwig.sc.intel.com

       Albert Lunde
       Northwestern University
       2129 Campus Drive North
       Evanston, IL 60208
       Albert-Lunde@nwu.edu




* Spam is a name of a meat product made by Hormel.  "spam" (no
capitalization) is routinely used to describe unsolicited bulk email and
netnews posts.






Hambridge & Lunde           Expires: 9Sep98                    [Page 16]