ISPs and the Spam Code Presented by Jeremy Malcolm for the Western Australian Internet Association 12 July 2006
Outline ➲ The current state of play ➲ About the two co-regulatory codes ➲ Revision on the Spam Act ➲ Detail of the Spam Code ➲ What it means in practice for ISPs
The state of play ➲ The bad news: ● About 80% of is spam ● This is tipped to rise to 90% ● Spam can also be a security issue ● Insecure computers as open relays ● Phishing and other social engineering hacks ● Distribution and exploitation of viruses ➲ The good news: ● Since the Spam Act, Australia dropped from 10th to 23rd of spam sources
Co-regulatory codes ➲ What is co-regulation? ● Industry-drafted, registered with the ACMA ● Applies to an entire industry sector ● ACMA can direct compliance ➲ Examples ● Telecommunications Act by ACIF ● Broadcasting Services Act by IIA
Internet Industry Spam Code ➲ Binds ISPs and Service Providers (“ESPs”) ➲ Registered by ACMA in March 2006 ➲ Takes effect on 16 July ➲ Deals with: ● Education of subscribers by their ISPs ● Making spam filters available to subscribers ● Handling of reports and complaints ● Technical measures to minimise abuse ● Law enforcement cooperation
ADMA E-Marketing Code ➲ Binds , IM and mobile marketers ➲ Clarifies and extends the Act in areas of: ● Factual communications ● Inferred consent (eg. pre-ticked boxes) ● Standards for identification and opt-out ● Collection and marketing practices for children ● Recording consent ● Viral marketing
How the code came about ➲ WAIA attends ACMA Spam Law Implementation Forum on 27 Feb 2004 ➲ IIA announced it had a draft code ➲ ACMA made clear it would not accept IIA-led process without WAIA and SAIA ➲ Compromise reached 20 April 2004: ● WAIA and SAIA to be affliate members ● WAIA representative to lead taskforce ➲ Much public comment and pain
Revision: the Spam Act 2003 ➲ Commenced 11 April 2004 ➲ Prohibits sending of unsolicited commercial electronic messages ➲ Penalties for corporations up to $220k per day rising to $1.1m for recidivists ➲ No minimum – one enough ➲ Prohibits address harvesting software and harvested address lists
Other Legislation ➲ Trade Practices Act ● Outlaws much misleading and deceptive spam ➲ Corporations Law ● Outlaws much stock-touting spam ➲ Privacy Act ● Outlaws some uses of collected addresses ➲ Criminal Code Act ● Outlaws open relay exploitation
Consent, Identify, Subscribe ➲ Consent ● May be inferred from a previous relationship or “conspicuous publication” in a role ● Not a carte blanche for any messages ➲ Identify ● Sender must remain identifiable for at least 30 days ➲ Subscribe ● Functional unsubscribe facility must remain for 30 days, actioned after 5 days
The scope of exemptions ➲ Factual information ● Must still contain unsubscribe information ➲ Political, religious and charitable bodies ● Even relating to supply of goods or services ➲ Carriage Service Providers ➲ Educational institutions ● To present and former students ➲ As prescribed, eg. faxes
Enforcement ➲ ACA ● Formal warnings ● Enforceable undertakings ● Infringement notices ➲ Federal Court ● $220k first corporate offence, up to $1.1m ● Ancillary compensation, disgorgement ● Injunctions ● No undertaking as to damages needed
Part B of the Code - Information ➲ Provision of information ● About the Act, Code, and any amendments ● About the ISP's AUP and spam ● About methods to minimise and filter spam (and the risk they may miss legitimate mail) ● About how to complain about spam ● Disclose whether they are already filtered ➲ International ESPs partially exempt ➲ Code includes a free sample AUP!
Part C - Enforcement ➲ Comply with all lawful directions ➲ Provide ACMA with contact details ➲ Provide urgent out-of-hours contact ● Can be a messagebank with call-back for smaller ISPs ➲ International ESPs partially exempt
Part D - Filters ➲ ISPs must make them available ➲ May be either client-side or server-side ➲ The ISP may charge a reasonable fee ➲ Must provide information on updating ➲ Must not engage in third-line forcing (requiring customers to buy a particular filter)
Part E – ISP obligations ➲ Secure their open relays and proxies ➲ Require their customersto do the same ➲ AUP must allow customer disconnection for operating an open relay ➲ ISP must take reasonable steps to notify subscribers of their open relays and give them reasonable assistance ➲ ISPs must reserve the right to scan ➲ Retain IP records for 7 days
Best Practices ➲ Code recommends ISPs consider: ● Publishing SPF records ● Keeping WHOIS data updated ● Rate limiting outgoing ● Reverse DNS entries ● Requiring SMTP AUTH authentication ● Prohibit outgoing connections on port 25 ● Not distribute modems with remote admin ● Control automated registration of free accounts
Part F - Reporting ➲ ISPs must tell users how to report: ● Spam from that ISP using etc. ● Spam from other ISPs – to the other ISP ➲ Must be acknowledged in 3 days ➲ Acknowledgment must tell the user: ● How the report will be dealt with ● How to contact other ISPs ● How to contact ACMA ● How to make a complaint ➲ International ESPs exempt
Part G - Complaints ➲ See ACIF complaint handling code ➲ ISPs must have a complaint policy that: ● Is documented in plain English ● Has regard to AS ● Includes timeframes for investigation, escalation and response ● Allows the complainant to be represented ● Advises of other avenues eg. ACMA ➲ Complaints about breach of the Code to ACMA, referred to IIA or TIO
Complaint handling fees ➲ Charges may only be levied if the process is onerous enough to justify it ➲ Complainant must agree to charges ➲ Must not exceed the ISP's actual costs ➲ Must be refunded within 30 days if the complaint is upheld ➲ International ESPs partly exempt
In practice: educate your users ➲ Patch Windows systems that can be hijacked by spammers and crackers ➲ Use antivirus and antispyware software ➲ Secure “open relays” that allow third parties to send through them ➲ Use disposable accounts when posting public messages or Web forms ➲ Obfuscate address on Web sites ● eg. user at dot com
In practice: ISP best practices ➲ SPF (cf. Microsoft's Sender ID) ● is received from a certain domain ● Receiving machine looks up IP addresses that are authorised to send mail from that domain ● If it doesn't match, can be rejected ➲ Rate-limiting of outbound ➲ Blocking port 25 on dial-up and ADSL Internet accounts
In practice: filtering options ➲ Provide information on filters only ● Similar to the content regulation regime ➲ Tagging mail without deleting ● Tell users how to filter at the client side ➲ Web control panel to turn filtering on ● Many products available to do this ➲ Across-the board filtering ● Also fine, as long as the users are informed
Conclusion ➲ Our tough stand on spam is working ● Consent, Identify, Subscribe ● Codes of practice for marketers and ISPs ➲ What you have to do: ● Inform your users ● Cooperate with ACMA ● Provide filters or filtering information ● Secure your network and help your users ● Receive reports and complaints ➲ Review of Act 2006, Code 2007
Questions? ➲ Questions? ➲ the presenter at ➲ See also: ● ● ● ● ●