Anti-Spam Toolkit of Recommended Policies and Measures

Anti-Spam Toolkit of Recommended Policies and Measures

Unclassified DSTI/CP/ICCP/SPAM(2005)3/FINAL Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development 19-Apr-2006 ___________________________________________________________________________________________ English - Or. English DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRY COMMITTEE ON CONSUMER POLICY Unclassified DSTI/CP/ICCP/SPAM(2005)3/FINAL COMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY Task Force on Spam REPORT OF THE OECD TASK FORCE ON SPAM: ANTI-SPAM TOOLKIT OF RECOMMENDED POLICIES AND MEASURES English - Or. English JT03207695 Document complet disponible sur OLIS dans son format d'origine Complete document available on OLIS in its original format DSTI/CP/ICCP/SPAM(2005)3/FINAL FOREWORD In view of the potential for economic and social harm of spam, and the potential for further problems as a result of the convergence of communication technologies, the ICCP Committee, in consultation with the Committee on Consumer Policy, endorsed in April 2004 the proposal for the creation of a horizontal ad hoc “Joint ICCP-CCP Task Force on Spam” to assist in the further conduct and co-ordination of the work on spam and obtain a more rapid consensus on a policy framework to tackle spam issues. The creation of the Task Force on Spam, as a joint subsidiary body of these Committees, was approved by the OECD Council. The OECD Anti-Spam Toolkit was developed in the framework of the OECD Task Force on spam and includes a package of recommended policies and measures addressing regulatory approaches, enforcement co-operation, industry driven activities, technical solutions, education and awareness initiatives, spam measures, and international co-operation and exchange. This document comprises an executive summary, which synthesizes the Toolkit recommended policies and measures and the Task Force Report, divided into eight main sections representing the elements listed above. It is completed by the OECD Council Recommendation of the Council on cross- border co-operation in the enforcement of laws against spam; the BIAC and MAAWG Best Practices on ISPs and Network operators; and the BIAC Best Practices for Email Marketing. In the annexes are also available the Spam Referral proforma, contributed by the CNSA/LAP, and the Mobile Spam Code of Practice, elaborated in the framework of the GSM Association. The Anti-Spam Toolkit is also available online, together with background resources and materials, updated information on countries’ spam laws and a list of national focal points for enforcement authorities. The website is online at www.oecd-antispam.org. The Toolkit was declassified on 29 March 2006 by the ICCP committee and the CCP, and the Enforcement Recommendation was adopted by the Council at its meeting on 13 April 2006. The Task Force’s mandate ends in June 2006. The work of the Task Force was supported by financial voluntary contributions from Australia, the Czech Republic, Italy, and Norway. The work of the Task Force was supported by Dimitri Ypsilanti and Claudia Sarrocco of the OECD Secretariat. © OECD / OCDE 2006. 2 DSTI/CP/ICCP/SPAM(2005)3/FINAL TABLE OF CONTENTS FOREWORD 2 ANTI-SPAM TOOLKIT OF RECOMMENDED POLICIES AND MEASURES: EXECUTIVE SUMMARY 6 Status and evolution of spam 6 A consistent and co-ordinated approach to spam 6 Element I. Regulatory approaches 8 Element II. Enforcement 11 Element III. Industry-driven initiatives 11 Element IV. Technical Measures 13 Element V. Education and Awareness initiatives 13 Individual users 13 Users’ groups 14 Large Companies and SMEs 14 Element VI. Co-operative partnerships 14 Element VII. Spam metrics 14 Element VIII. Global co-operation 15 INTRODUCTION 16 Status and evolution of spam 17 Why spam? How does it work? 19 E-mail spam 19 Mobile spam 20 Voice over IP spam (SPIT) and spam over multimedia IP applications 20 Search Engine spam 21 Blog spam and Splogs 21 Spam and phishing 21 How much does spam cost? 22 ELEMENT I - ANTI-SPAM REGULATION 24 Broad considerations for spam regulation 24 Anti-spam checklist 25 Anti-spam regulatory approach: elements 26 Services concerned 26 Nature of the message 26 Consent 27 Removing consent or “Unsubscribing” 29 Information about message origins 29 Ancillary elements 30 Cybercrime and content-related questions 31 Bulk 32 Labelling 33 Cross-border issues 34 3 DSTI/CP/ICCP/SPAM(2005)3/FINAL Identifying involved parties 34 ELEMENT II - ANTI-SPAM ENFORCEMENT 37 Introduction 37 National co-ordination 37 Enforcement authorities - investigative powers 38 Co-operation and information sharing 40 Cross-border enforcement co-operation 41 ELEMENT III - INDUSTRY DRIVEN INITIATIVE 42 Internet Service Providers 42 Technical measures and self-regulation 43 Banks and other online operators 45 Industry associations 46 The role of private stakeholders 48 ELEMENT IV - ANTI-SPAM TECHNOLOGIES 49 Introduction 49 The importance of tool/technology context 49 Combining tests 50 Types of Anti-Spam Technologies 50 Authentication of electronic mail 50 SPF and/or Sender-ID 51 DKIM /or META 51 Existence of the sender’s domain and eliciting a response 52 Existence of a Pointer Record (PTR) 52 Blacklists/Whitelists 52 Address of the sending server treated as either “dynamic” or “residential” 53 Filtering 54 Heuristic filters 54 Keyword filters 55 Summary or fingerprint filters 55 Bayesian filters 55 Behavioural filters 56 HELO/CSV 56 Greylisting 56 Tokens/passwords 57 Various techniques 57 Envelope tests (BATV, SES) 57 Certification of Bulk Mails 57 Micro payment systems 58 Does the sender’s server reply if you try to respond? 59 PGP signatures 59 System Configuration 59 Anti-Virus tools 59 Anti-spyware tools 59 How to Use This Review of Technologies and Factors to Consider 59 Rejection in the SMTP session 60 Silent rejection 60 Rejection by sending a DSN (Delivery Status Notification or “bouncing”) 61 Delivery to a spam box 61 4 DSTI/CP/ICCP/SPAM(2005)3/FINAL Marking 61 ELEMENT V – EDUCATION AND AWARENESS 62 Introduction 62 Education and awareness strategies: targeting the audience 62 Individual users 63 User groups 63 Users and Phishing 64 Companies and small medium-sized enterprises 64 Direct marketing companies 66 ELEMENT VI – CO-OPERATIVE PARTNERSHIPS AGAINST SPAM 67 ELEMENT VII - SPAM MEASUREMENT 70 Spam metrics 70 ELEMENT VIII – GLOBAL CO-OPERATION (OUTREACH) 73 Introduction 73 The role of global co-operation (Outreach) 73 OECD Outreach activities 74 CONCLUDING REMARKS 75 ANNEXES 76 ANNEX I: DRAFT RECOMMENDATION OF THE COUNCIL ON CROSS-BORDER CO- OPERATION IN THE ENFORCEMENT OF LAWS AGAINST SPAM 76 ANNEX II: BIAC AND MAAWG BEST PRACTICES FOR INTERNET SERVICE PROVIDERS AND NETWORK OPERATORS 80 ANNEX III: BIAC BEST PRACTICES FOR E-MAIL MARKETING 83 ANNEX IV: GSM ASSOCIATION MOBILE SPAM CODE OF PRACTICE 88 ANNEX V: LONDON ACTION PLAN/CONTACT NETWORK OF SPAM AUTHORITIES PRO FORMA FOR THE REFERRAL OF SPAM INVESTIGATIONS AND ACCOMPANYING GUIDANCE (WORKING DOCUMENT) 92 Figures Figure 1. Spam evolution 18 Figure 2. Percentage of spam e-mails at ISPs level (4Q2005) 72 Boxes Box 1. Spear-Phishing 22 Box 2. Acceptable Use Policy (AUP) 43 Box 3. Mobile operators 47 Box 4. Children's education 64 Box 5. Security tips and tricks: An example of a company’s internal anti-spam policy 65 5 DSTI/CP/ICCP/SPAM(2005)3/FINAL ANTI-SPAM TOOLKIT OF RECOMMENDED POLICIES AND MEASURES: EXECUTIVE SUMMARY In view of the wide impact of spam, and the potential for further problems as a result of the convergence of communication technologies and the emergence of ubiquitous communications and mobile Internet, the OECD brought together policy makers and industry experts to form the OECD Task Force on Spam (hereinafter, the “Task Force”). They were charged with developing a framework aimed at tackling spam using a broad multi-disciplinary range of solutions. The Task Force developed the Anti-Spam Toolkit (the “Toolkit”), which recommends a range of policies and measures which should be key elements of a comprehensive public policy framework for addressing the problem of spam. These policies and measures are summarised below. Status and evolution of spam In order for electronic communication platforms, applications and services to contribute to economic and social development, they must be reliable, efficient and trustworthy. Today, however, e-mail and other electronic communication tools may be threatened by unsolicited, unwanted, and harmful electronic messages, commonly known as spam. Unless these threats are curtailed, they could erode users’ trust and confidence. Spam, which began as electronic messages usually advertising commercial products or services, has evolved over the past few years, and to simple advertising messages have been added messages that are potentially dangerous, which can be deceptive, may cause network disruptions, may result in some form of fraud and which are used as a vehicle for spreading viruses and other malware. A consistent and co-ordinated approach to spam There is not a simple solution to stop spam. The openness and decentralised nature of the Internet, which are the main reasons for its success, have also created the conditions leading to a number of vulnerabilities that are increasingly exploited by spammers and other online offenders. The lack of centralised control enables users to hide their identity. In addition, the low cost of accessing Internet and e- mail services allows spammers to send out millions of spam messages every day at an extremely low marginal cost so that only a small response rate is required to attain high profits. However, in combating spam and other online threats it is viewed as important to maintain the openness, flexibility and innovation underlying the Internet. In this context, the Task Force, at the beginning of its mandate, had to decide on the appropriate action to take and the roles of the different stake-holders in fighting spam. There was consensus that Governments should work to establish clear national anti-spam policies in concert with other players, collaborate with the private sector, and promote co-operation across borders.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    115 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us