Anti-SPAM - Implementation Guideline


Version 2.0, 8 Jun 2005

Introduction

Audience
Why do I need to participate in SPAM combat?
Purpose of this document

Definition of SPAM

Terms and Conditions

Technical Measures

Mail Relaying
Realtime-Blackhole-List
Restriction of amount of outgoing e-mail for web e-mail and prepaid accounts
Deny outgoing TCP access to the Internet on port 25 (SMTP)
Incoming SPAM Filtering
Limit NNTP Postings
Mailing Lists

Administrative Measures

Reporting
Investigation and action

Publicity

Compliance
Non-Compliance

Introduction

This document augments the Anti-SPAM - Code of Practice (COP) (http://www.hkispa.org.hk/antispam/cop.html) issued by the Hong Kong Internet Service Providers Association (HKISPA). The purpose of this implementation guideline is to offer additional information and tips to help members and those who have adopted the COP to implement and comply with the COP. It is detached from the COP because due to fast evolution of the Internet on new technologies and new applications this implementation guideline is subject to frequent update.

Members are encouraged to contribute to this document by sending comments or information to HKISPA at [email protected]. The latest version of this document is available at http://www.hkispa.org.hk/antispam/guidelines.html.

Audience

This document is primarily for service providers and web site operators who or whose customers have the ability to generate electronic forms of messages, including e-mail, news, mailing list postings, etc.

Why do I need to participate in SPAM combat?

If you don't know what SPAM is you probably should learn more about it at http://www.abuse.net/. There are a number of reasons why service providers and operators should participate in SPAM combat.

Purpose of this document

This document presents additional information under section headings of the COP. It should be read with the COP and act as reference and implementation notes for the COP.

Definition of SPAM

"SPAM" refers generally to the sending of unsolicited mass/bulk/junk e-mail/message/postings. A SPAM message may request the recipient to perform some kind of action e.g. go to some web site or buy some service. The message may be an e-mail but could equally be another form of electronic message such as a Usenet article.

The above definition is the minimum definition for SPAM as opined by HKISPA. Members and those who have adopted the COP shall endeavor to include at least the above definition in their own Acceptable Use Policies or similar documents. Members and those who have adopted the COP are recommended to further define and quantify the definition when situation or size of their operation requires. HKISPA encourage members to impose a stricter definition of SPAM according to their own requirements.

Terms and Conditions

Members of HKISPA and those who have adopted the COP shall endeavor to require users or customers who have the ability to produce SPAM to be bound by appropriate anti-SPAM contractual conditions such that they should not transmit SPAM or their account be terminated. Definition of SPAM should also be stated, e.g. in the service contract, terms of conditions, acceptable use policy or other similar documents.

Members might also consider incorporating the elements listed below into the service contract:

Technical Measures

Mail Relaying

Older versions of e-mail software allow open relaying by default. Latest versions of e-mail software have provisions for SPAM prevention, including features to deny mail relaying. If your e-mail server allows open relay, you are encouraged to upgrade to a non-relay version, or remove that server from the Internet entirely. In particular, please refer to http://www.sendmail.org/tips/relaying.html which describes how to configure the most popular e-mail server Sendmail in denying open relaying.

Realtime-Blackhole-List

An easy yet very useful SPAM prevention method is to use the various commercial or free Black Hole Lists available on the Internet. Related information can be found at:

http://www.cauce.org/about/resources.shtml

Restriction of amount of outgoing e-mail for web e-mail and prepaid accounts

If you are offering free e-mail service or pre-paid short-term accounts, they will very likely be used for anonymous e-mail or SPAM. It is wise to limit the amount of e-mails each account can transmit per day.

Consult your software vendor for limitation of amount of e-mails transferred per day per account.

Deny outgoing TCP access to the Internet on port 25 (SMTP)

Professional Spammers make use of switched dialup access to get a different IP address each time and then connect to outside e-mail servers directly through a TCP connection at port number 25.

To fix this loophole, it is wise to deny TCP connection to port 25 from your dialup modems to all outside hosts. 99% of your dialup customers do not connect directly to outside hosts at port 25 but use e-mail clients (Outlook, Netscape, etc) that use the ISP's e-mail server to transmit e-mail. The remaining 1% of them either have a decent need to connect directly to outside hosts where you can cater for separately, or they are Spammers.

Denying TCP connections from your modem pool to outside hosts is best performed at your border routers. Alternatively, you can choose to direct all outgoing TCP connections to port 25 to your own e-mail server.

Incoming SPAM Filtering

It is important that you are aware of the conditions set out in clause 7 of the COP (http://www.hkispa.org.hk/antispam/cop.html) before implementing SPAM Filtering. The tools and resources below are for your reference only.

http://www.sendmail.org/antispam.html as starting point.

http://www.dcc-servers.net/ is a network of Distributed Checksums exchanged between numerous ISPs and e-mail servers.

http://www.spamassassin.org/ provides a good and free tool for SPAM filtering.

Limit NNTP Postings

It is wise to limit the use of your news servers to your own customers only. Open news servers produce the same sort of problem of open mail relays that it opens a "free entry-point" of injecting large volume of SPAM into the Internet.

Apart from limiting news posting to only your customers, modern NNTP server software have provisions for limiting the number of postings each client can post per day. Please see your NNTP software for details.

Mailing Lists

Some implementations of mailing lists software can be configured to allow users to get all the e-mail addresses of all subscribers by a simple command. It is recommended to disable this command.

For mailing list operators, e.g. a newspaper that allows users to subscribe to their e-mail news service, effective means should be employed to ensure that the e-mail addresses on the list are update. This may include, but not limited to, periodically validate the e-mail addresses with the recipients and handle delivery failure notices properly. The list should also be properly protected, both administratively and technically, from potential abuses.

Administrative Measures

Reporting

There shall be an 'abuse' account. Mail sent to this account shall be routed to a responsible person or team who has the ability to investigate and take action on such complaints. Please be reminded that setting up an 'abuse' account alone is not enough. Proper working procedures should also be in place to provide for handling of complaints sent to this account such that all complaints addressed to this account shall be replied to. An unresponsive 'abuse' account only tells people that this ISP is irresponsible.

Investigation and action

Service providers are responsible for prompt investigation of all complaints forwarded to their 'abuse' account. If the complaint was verified to be legitimate and the SPAM was originated from the ISP receiving the complaint, the ISP should take action according to their own service contracts with the customer who generated the SPAM.

Situation might arise that the complainant or the party who actually generated the SPAM (or both) is not related to the ISP receiving the complaint. This will arise for a variety of reasons. For example, where the complainant complains to his or her own service provider without checking the apparent origin of the SPAM in the header or where the header information has been forged by the spammer to create a false trail that leads to the party who receives the complaint. In such cases, members receiving such complaints should make reasonable efforts to determine the true origin of the SPAM and then notify the service provider or host operator concerned of the problem. It is recognized that the party operating the service or host from which the SPAM originated may not be subject to the COP, i.e. because it is outside Hong Kong or is not a member of the ISP Association. However, such a party should, as a minimum, be notified of the action of its user and the nuisance that has been caused.

Publicity

ISPs who is certified to be compliant with the COP will be published on the HKISPA web site. Members are encouraged to paste the anti-SPAM logo on their own company web site and links the logo to the anti-SPAM page of HKISPA.

Compliance

Evidence of compliance is to be submitted to Executive Council of HKISPA by respective ISPs showing that they have satisfied all conditions stated in the COP, which is considered a minimum standard by HKISPA.

Non-Compliance

The Executive Council of the HKISPA reserves the right to remove any party's rights granted in relation to its compliance with the COP at any time, including the right to advertise compliance under the HKISPA Anti-SPAM Initiative, if it has come to the Executive Council's attention that such party has breached the COP without reasonable excuse. Further action may be taken at the discretion of the Executive Council of the HKISPA.

Contact
Anti-Spam committee, HKISPA
[email protected]