ebook img

OECD anti-spam toolkit of recommended policies and measures PDF

133 Pages·2006·2.309 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview OECD anti-spam toolkit of recommended policies and measures

OECDspamRepEN.qxd 8/11/06 11:05 AM Page iii OECD Anti-Spam Toolkit of Recommended Policies and Measures OECDspamRepEN.qxd 8/11/06 11:05 AM Page iv ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT The OECD is a unique forum where the governments of 30 democracies work together to address the economic, social and environmental challenges of globalisation. The OECD is also at the forefront of efforts to understand and to help governments respond to new developments and concerns, such as corporate governance, the information economy and the challenges of an ageing population. The Organisation provides a setting where governments can compare policy experiences, seek answers to common problems, identify good practice and work to co-ordinate domestic and international policies. The OECD member countries are: Australia, Austria, Belgium, Canada, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Korea, Luxembourg, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Slovak Republic, Spain, Sweden, Switzerland, Turkey, the United Kingdom and the United States. The Commission of the European Communities takes part in the work of the OECD. OECD Publishing disseminates widely the results of the Organisation’s statistics gathering and research on economic, social and environmental issues, as well as the conventions, guidelines and standards agreed by its members. • • • The Toolkit was declassified on 29 March 2006 by the ICCP committee and the CCP, and the Enforcement Recommendation was adopted by the Council at its meeting on 13 April 2006. The Task Force’s mandate ends in June 2006. The work of the Task Force was supported by financial voluntary contributions from Australia, Canada, the Czech Republic, Italy, and Norway. The work of the Task Force was supported by Dimitri Ypsilanti and Claudia Sarrocco of the OECD Secretariat. Also available in French under the title: Boîte à outils anti-spam de l’OCDEet politiques et mesures recommandées © OECD 2006 No reproduction, copy, transmission or translation of this publication may be made without written permission. Applications should be sent to OECD Publishing: [email protected] by fax (+33-1) 45 24 13 91. Permission to photocopy a portion of this work should be addressed to the Centre Français d’exploitation du droit de Copie, 20 rue des Grands-Augustins, 75006 Paris, France ([email protected]). OECD Anti-Spam Toolkit OECDspamRepEN.qxd 8/11/06 11:05 AM Page 1 FOREWORD In view of the potential for economic and social harm of spam, and the potential for further problems as a result of the convergence of communication technologies, the ICCP Committee, in consultation with the Committee on Consumer Policy, endorsed in April 2004 the proposal for the creation of a horizontal ad hoc“Task Force on Spam” to assist in the further conduct and co-ordination of the work on spam and obtain a more rapid consensus on a policy framework to tackle spam issues. The creation of the Task Force on Spam, as a joint subsidiary body of these Committees, was approved by the OECD Council. The OECD Anti-Spam Toolkit was developed in the framework of the OECD Task Force on Spam and includes a package of recommended policies and measures addressing regulatory approaches, enforcement co-operation, industry driven activities, technical solutions, education and awareness initiatives, spam measures, and international co-operation and exchange. This document comprises an executive summary, which synthesizes the Toolkit recommended policies and measures and the Task Force Report, divided into eight main sections representing the elements listed above. It is completed by the OECD Council Recommendation on cross-border co-operation in the enforcement of laws against spam; the BIAC and MAAWG Best Practices on ISPs and Network operators; and the BIAC Best Practices for Email Marketing. In the annexes are also available the Spam Referral proforma, contributed by the CNSA/LAP, and the Mobile Spam Code of Practice, elaborated in the framework of the GSM Association. The Anti-Spam Toolkit is also available online, together with background resources and materials, updated information on countries’ spam laws and a list of national focal points for enforcement authorities. The website is online at www.oecd-antispam.org. 1 Recommended Policies and Measures OECDspamRepEN.qxd 8/11/06 11:05 AM Page 2 2 OECD Anti-Spam Toolkit OECDspamRepEN.qxd 8/11/06 11:05 AM Page 3 TABLE OF CONTENTS FOREWORD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Status and evolution of spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 A consistent and co-ordinated approach to spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Element I. Regulatory approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Element II. Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Element III. Industry-driven initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Element IV. Technical measures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Element V. Education and awareness initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Individual users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Users’ groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Large companies and SMEs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Element VI. Co-operative partnerships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Element VII. Spam metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Element VIII. Global co-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3 Recommended Policies and Measures OECDspamRepEN.qxd 8/11/06 11:05 AM Page 4 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Status and evolution of spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Why spam? How does it work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 E-mail spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Mobile spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Voice over IP spam (SPIT) and spam over multimedia IP applications . . . . . . . . . . . . . . . . . . 24 Search Engine spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Blog spam and Splogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Spam and phishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 How much does spam cost?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 ELEMENT I – ANTI-SPAM REGULATION. . . . . . . . . . . . . . . . . . . . . . . . . 27 Broad considerations for spam regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Anti-spam checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Anti-spam regulatory approach: elements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Services concerned. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Nature of the message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Consent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Removing consent or “Unsubscribing”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Information about message origins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Ancillary elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Cybercrime and content-related questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Labelling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Cross-border issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Identifying involved parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 ELEMENT II – ANTI-SPAM ENFORCEMENT. . . . . . . . . . . . . . . . . . . . . . . 41 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 National co-ordination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Enforcement authorities – investigative powers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Procedures and sanctions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Co-operation and information sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Cross-border enforcement co-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 ELEMENT III – INDUSTRY DRIVEN INITIATIVE. . . . . . . . . . . . . . . . . . . . 47 Internet Service Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Technical measures and self-regulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Banks and other online operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Industry associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 The role of private stakeholders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4 OECD Anti-Spam Toolkit OECDspamRepEN.qxd 8/11/06 11:05 AM Page 5 ELEMENT IV – ANTI-SPAM TECHNOLOGIES. . . . . . . . . . . . . . . . . . . . . . 55 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 The importance of tool/technology context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Combining tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Types of anti-spam technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Authentication of electronic mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 SPF and/or Sender-ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 DKIM /or META. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Existence of the sender’s domain and eliciting a response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Existence of a Pointer Record (PTR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Blacklists/Whitelists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Address of the sending server treated as either “dynamic” or “residential” . . . . . . . . . . . . . . . . . 60 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Heuristic filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Keyword filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Summary or fingerprint filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Bayesian filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Behavioural filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 HELO/CSV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Greylisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Tokens/passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Various techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Envelope tests (BATV, SES). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Certification of Bulk Mails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Micro payment systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Does the sender’s server reply if you try to respond? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 PGP signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 System configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Anti-virus tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Anti-spyware tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 How to use this review of technologies and factors to consider. . . . . . . . . . . . . . . . . . . . . . . . . . 67 Rejection in the SMTP session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Silent rejection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Rejection by sending a DSN (Delivery Status Notification or “bouncing”) . . . . . . . . . . . . . . . . . . 68 Delivery to a spam box. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Marking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 ELEMENT V – EDUCATION AND AWARENESS . . . . . . . . . . . . . . . . . . . . 71 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Education and awareness strategies: targeting the audience . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Individual users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 User groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Users and phishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Companies and small medium-sized enterprises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Direct marketing companies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 5 Recommended Policies and Measures OECDspamRepEN.qxd 8/11/06 11:05 AM Page 6 ELEMENT VI – CO-OPERATIVE PARTNERSHIPS AGAINST SPAM . . . . . . . 77 ELEMENT VII – SPAM MEASUREMENT . . . . . . . . . . . . . . . . . . . . . . . . . 81 Spam metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 ELEMENT VIII – GLOBAL CO-OPERATION (OUTREACH) . . . . . . . . . . . . . 85 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 The role of global co-operation (Outreach). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 OECD Outreach activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 CONCLUDING REMARKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 ANNEXES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Annex I: Recommendation of the Council on Cross-Border Co-operation in the Enforcement of Laws Against Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Annex II: BIAC and MAAWG Best Practices for Internet Service Providers and Network Ooperators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Annex III: BIAC Best Practices for Email Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Annex IV: GSM Association mobile Spam code of Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Annex V: London Action Plan/Contact Network of Spam Authorities Pro Forma for the Referral of Spam Investigations and Accompanying Guidance (Working Document). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 NOTES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Figures Figure 1. Spam evolution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Figure 2. Percentage of spam e-mails at ISPs level (4Q2005). . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Boxes Box 1. Spear-Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Box 2. Acceptable Use Policy (AUP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Box 3. Mobile operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Box 4. Children education. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Box 5. Security tips and tricks: An example of a company’s internal anti-spam policy. . . . . . . . . . 75 6 OECD Anti-Spam Toolkit OECDspamRepEN.qxd 8/11/06 11:05 AM Page 7 EXECUTIVE SUMMARY In view of the wide impact of spam, and the potential for further problems as a result of the convergence of communication technologies and the emergence of ubiquitous communications and mobile Internet, the OECD brought together policy makers and industry experts to form the OECD Task Force on Spam(hereinafter, the “Task Force”). They were charged with developing a framework aimed at tackling spam using a broad multi-disciplinary range of solutions. The Task Force developed the Anti-Spam Toolkit(the “Toolkit”), which recommends a range of policies and measures which should be key elements of a comprehensive public policy framework for addressing the problem of spam. These policies and measures are summarised below. Status and evolution of spam In order for electronic communication platforms, applications and services to contribute to economic and social development, they must be reliable, efficient and trustworthy. Today, however, e-mail and other electronic communication tools may be threatened by unsolicited, unwanted, and harmful electronic messages, commonly known as spam. Unless these threats are curtailed, they could erode users’ trust and confidence. Spam, which began as electronic messages usually advertising commercial products or services, has evolved over the past few years, and to simple advertising messages have been added messages that are potentially dangerous, which can be deceptive, may cause network disruptions, may result in some form of fraud and which are used as a vehicle for spreading viruses and other malware. 7 Recommended Policies and Measures

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.