D_R_A_F_T BEST CURRENT PRACTICE FOR DUTY OF CARE OF INTERNET RESOURCES Penultimate release version 1.33 Draft date: March 5, 2003 (Final I-D-required formatting to be added when text stabilized) Drafted by Jeffrey Race Abstract {short-form per RFC2223} [text to be added] "This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited." Table of Contents 1 Introduction 1.1 Purpose 1.2 Background--The Problem 1.3 Failure of Present Measures to Limit Pollution 1.3.1 Present anti-pollution measures 1.4 Results 2 The Innovation of this Practice 2.1 Form of Practice 2.2 Standard for Duty of Care 2.3 Service Providers 2.4 IP Address and Domain Name Registrars 2.5 Anonymity 3 Enforcement 4 Accountability and Record-keeping Considerations 5 Legal Considerations 6 Security Considerations 7 Definitions 7.1 Internet Resources 7.2 UBE 7.3 Abuse 8 Glossary 9 References 10 Author's address 11 Revision history [interim heading] 1 Introduction 1.1 Purpose This document defines a precise and simple Best Current Practice for Duty of Care of Internet Resources, so as to minimize pollution of the Internet by various types of abuse, using the community's own measures in the absence of effective legal, regulatory and technical measures. Such a Practice is required because of the economic value of server hardware and of bandwidth, of management time of users and system operators, and of both IP address space and domain names. IP address space is a valuable public resource which may be damaged or polluted to the detriment of the public good and of future users. Pollution of IP addresses and domain names is already a serious problem for registrars, as is the cost of scarce bandwidth and time of both users and managers consumed by abuse handling. 1.2 Background--The Problem The system of networks known as the Internet has proven a valuable innovation stimulating broad and inexpensive dissemination of knowledge, reducing communication costs and aiding cultural, scientific and economic activity worldwide. But because of its interconnected structure, the entire Internet is easily subject to degradation by abuse at any point. The Internet's design and management were predicated on voluntary cooperation, self-imposed good behavior, and the non-profit motivational structure of custodians of Internet Resources (IR) extant at its inception. Current experience obsoletes these formative assumptions. Constantly increasing pollution (Unsolicited Bulk Electronic-messaging [UBE] meant to include e-mail, SMS, Instant Message, browser popups etc., denial of service attacks, and dissemination of viruses, worms and Trojan programs) frustrates the purpose of the Internet, generates unjust enrichment for polluters, and creates a heavy economic loss for society as a whole due to the miniscule return even to profit-seeking abusers compared to the value of the economic resources consumed by their transmissions, by handling their reception and by suppression efforts. The Internet will become unusable for many, and seriously compromised for others, in the near future. This voiding of the Internet's formative assumptions demands prompt and effective curative measures. 1.3 Failure of Present Measures to Limit Pollution Previous standards of practice [1] [2] correctly stressed traceability and set excellent goals which most bodies observe, thus localizing pollution emissions to a limited number of abusers and enablers. Unfortunately this limited number still gives rise to the constantly increasing volume of pollution now seen. 1.3.1 Present anti-pollution measures fall under four generic headings (1) Self-directed good behavior, the pattern extant at the Internet's inception. With the growth of the Internet, the informal peer pressures supporting good behavior no longer bind many participants, while at the same time the motivational structure has completely changed. For many individuals and firms with Internet access or even important Internet roles, financial rewards strongly deter good behavior and motivate abusive behavior. (2) Legal sanctions Many practices abusive of IR entail violation of common or statute law in most jurisdictions, viz. theft of service, trespass to chattels, identity theft, deceptive business practice and fraud in the inducement. However as a practical matter legal process is inapposite to the technical nature of Internet electronic messaging and inherently ineffectual for ensuring day-to-day trouble-free operation, due to the multiplicity of jurisdictions involved and the fact that abuse typically results in a very large number of victims, unknown to each other, each suffering too small a loss to mount criminal or civil litigation. For this reason legal measures have definitively failed to prevent abuse from increasing rapidly and will continue so to fail. (3) Recipient network passive ingress control Filtering based on source, envelope and/or content. Since the ingenuity and motivation of abusers at least equal and usually exceed those of system operators, and since abusive transmissions are, like desired transmissions, only a datastream, passive technical measures will always fail to halt abusive transmissions. Content filters are legally (or practically) unacceptable in many legal jurisdictions or functional user areas. (4) Recipient network active egress control measures (intended to modify behavior of abuser or enabler) a. Refusal of connections from hosts non-compliant with published standards such as lack of reverse DNS or appropriate HELO. This is purely of empirical utility based on current sloppy habits of some (but not all) abusers and enablers. b. Blocking transmission from habitual polluters, varying from single IP addresses through larger or smaller IP address blocks up to and including complete countries. This category of measure is adopted by some due to the proven ineffectiveness of (1) through (3), and experience over the past several years has proven a useful laboratory for the public. Use of measures in the egress control category is generally completely effective in warding off UBE, and frequently results in reforming abuse enablers, but it has two major shortcomings: (a) Limited uptake due to fear of loss of competitive market advantage by early adopters, since stringent use may interrupt some desired transmissions. (b) Sustained transmission outages ("collateral damage") may occur if the abuse enabler lacks interest in suppressing pollution emitted from his network, frequently the case of SPs who profit from UBE. 1.4 Results The devastating effectiveness of the active technical measures above is both its strength and its weakness. Because complaints may arise from legitimate users, some SPs are reluctant to use blocking and so fall back on filtering. But filtering leaves intact the burden on the networks (message transmission actually occurs to the receiving server), it fails to modify behavior because it does not place the burden where it belongs (on polluters and their enablers), and no filter algorithm can keep pace with the ingenuity of abusers. 2. The Innovation of this Practice In view of failure of (1), (2) and (3) and the shortcomings of (4) above, the only remaining choice is to begin to apply to IR the same rules society applies to all other resources to deter antisocial behavior viz. proper behavior requires clear published standards, standards entail accountability, accountability entails multiple modes of enforceability, and enforceability entails traceability. The following procedures and implementing mechanisms are based on this universal rule of human experience. The present rampantly increasing misuse of IR, and threat of catastrophic damage, results directly from ignoring this rule of human experience. At present there are few or no disincentives for pollution, so pollution may be expected to increase until the Internet is destroyed as a viable communication mechanism for many present users. /3/ Since both legal and technical measures have failed and will continue to fail, only the behavior modification method of stopping pollution remains, and the only proven effective method of behavior modification is withdrawal of IR of identity and connectivity to continue pollution. Numerous tests /4/ have shown that this sanction works equally well against both the wilful and the negligent to halt pollution immediately, where prior efforts at polite persuasion to follow best practice were ignored with impunity. This Practice draws upon the empirical results of (4) above, exploiting its effectiveness while overcoming the two identified shortcomings. In short, this Practice innovates in four respects to halt Internet pollution: (1) It makes explicit that every IR custodian is responsible for preventing a pattern of pollution from emerging out of his IR onto the Internet and is responsible for the consequences of any such pollution on others. (2) Adopting a universal practice of withdrawal of IR, by common procedures, means that no SP will suffer competitive disadvantage from cooperating in the community effort to halt network abuse because all adopt simultaneously. Violators of this Practice will lose Internet connectivity. (3) This Practice places the burden of pollution on the polluter and on his enabler rather than on the victim, so conforming to the basic principle used everywhere else in society to maintain justice and good order. (4) This Practice legitimates withdrawal of IR as the only method proven effective in halting abuse. 2.1 Form of Practice This Practice defines a system for community withdrawal of IR from polluters and pollution enablers. As a voluntary community, the Internet may do so at will, and responsible firms now withdraw IR as a regular part of operations, according to the procedures described below. This document is intended to legitimate such withdrawals and make them universal rather than occasional. The withdrawal of IR (use of blocklists, cancellation of routing, withdrawal of IP addresses and domain names) may in its early months of adoption split the Internet into oceans of purity and islands of pollution. As withdrawal expands, polluters will be pushed into ever smaller and less connected domains, which grow ever more blocked. This cumulative process will end quickly, with residual polluted islands populated by those lacking a need to communicate with oceans of purity. Specifically regarding blocklists, a variety is available using different criteria and different degrees of stringency. This method is immediately and devastatingly effective, because it throws the burden back on the perpetrator and his abuse-enabling SP. From a network perspective, blocklists are the ideal solution because they reduce bandwidth demand. Message transmission never occurs, because the connection is cut during call setup. Although in one sense a technical measure, blocklisting is generically considered a behavioral measure, because it forces abuse enablers to reform in cases where polite talk has been drowned out by the attraction of money. Blocklists keep unsafe servers from connecting to the Internet just as credit reports exclude defaulting debtors from the credit markets and pre-flight inspections keep unsafe planes out of the sky. This Practice is intended to apply at every level of allocation, registration and usage of IR including but not limited to RIRs, LIRs, ISPs, webhosting firms, backbone connectivity providers, domain name registrars, and end-users. 2.2 Standard for Duty of Care Every custodian of IR shall have an affirmative duty of care to preserve the value of his resources for present and future generations and to prevent their abuse to create injury to other users or custodians of IR, including but not limited to transmission of UBE, viruses, worms, conduct of denial-of-service attacks, and propagation of Trojan programs. 2.3 Service Providers (SP: internet service providers, backbone connectivity providers, and webhosting firms) All SPs MUST enable a complaint mechanism at least via e-mail but alllowance of multiple modes (e-mail, browser interface, fax, postal mail) is encouraged for convenience of victims. All complaints MUST receive prompt acknowledgement with sufficient uniqueness to permit followup of the complaint. Automated acknowledgement is permitted if provided with a tracking mechanism. SPs MUST respond to complaints by the same medium in which the complaint was made unless another medium is mutually agreed as more satisfactory. SPs MUST enforce a published AUP as a condition of service. This AUP MUST as a minimum forbid - transmission of UBE, viruses, worms or Trojan programs, and denial of service transmissions - using any e-mail or domain address on its network for receiving replies to UBE - open relays, open proxies, or accessible scripting programs capable of producing abuse as herein defined - use of the SP's IR to promote tools or services to commit abuse, including but not limited to abuse software and target address lists. SPs MUST ensure, by prior notice to all users and intending users, and by periodic testing (which shall be advised to all users as a condition of service) that none of the above vulnerable resources, or others comparable, exists on the networks for which they have a duty of care. Alternatively, SP and customer may agree that customer will perform such testing in place of the SP. Many well-run SPs now implement these conditions and procedures; this Practice aims to make their procedures universal. The abovementioned AUP MUST require each customer likewise to bind all its sub-contracting parties to these minimum conditions upon use of the offered connectivity. More rigorous conditions are permissible. This AUP MUST specify penalties for infringement. In this regard the ideal shall be financial penalties for infringement, to be imposed even in the case of discontinuance of service (e.g. on a bond or credit card provided at the beginning of the service agreement), so as to deter an abuser from reapplying after disconnection. In the event a connectivity provider elects not to provide for financial penalties in its AUP, it MUST have a clearly documented procedure in place to prevent re-application for resources by disconnected abusers. Notional 'financial penalties' MUST NOT be utilized as a cover for a continuing revenue stream from an abuser. At a minimum the application process for Internet service MUST require the applicant to specify whether he (if a natural person) or it or any of its principals (if a juristic person) has been disconnected from service previously by any SP. Applicants accepted for service who reabuse shall be turned over to local criminal authorities for prosecution for fraudulent inducement. A pattern of failing to turn serial abusers over to local criminal authorities shall be deemed ground for enforcement action against the negligent abuse-enabling SP under this Practice. 2.4 IP Address and Domain Name Registrars Using public resources entails waiving so much of one's privacy as needed to maintain the usability of the resources, and being contactable is an essential element of system maintenance. A valid postal address is essential for legal service. Telephone and fascimile numbers and e-mail address are necessary for redundancy and rapid technical coordination. All registrars shall therefore enforce current, correct and complete contact data for all registrants. Technical measures such as challenge/response to preclude harvesting are permitted and encouraged. Automated procedures to verify currency of contact data (now successfully employed by many systems) are encouraged. However for the purposes of this Practice, it shall suffice that errors or omissions brought to the attention of the delegating authority be corrected promptly. An exception may be made for registrants having a documented requirement for anonymity, in which case the registrar assumes the responsibility for timely contacting the registrant on behalf of the public. The registrar shall inform the public correspondent that he has contacted the registrant and provide a unique tracking identification to permit followup. Registrars shall ensure that contact data are active and that contact addresses (e.g. Postmaster and RFC-recommended role accounts) are properly operated by registrants. Failure to provide correct, current and complete contact data, or failure to enable or properly to operate a role account, shall be deemed a cause for Admonishment and, if default continues, Enforcement per infra. All IR custodians SHALL, with the exception noted below, know the true identity of its IR users, so that accountability for behavior may be ensured and financial or criminal penalties imposed as necessary. 2.5 Anonymity For technical or economic reasons (such as prepaid or free services), or for other valid reasons such as safety of users, IR may continue as at present to be offered for anonymous use. In such cases the provider must adopt technical measures such as rate- limiting, port-blocking, or caller ID, to preclude the abuse of the anonymously-used IR. 3. Enforcement IR users and custodians are expected actively to suppress Internet abuse by the following steps. First, observers of abuse are encouraged to report each incident to the responsible party, as specified in the registration record for the IP address or domain. (At present only a tiny fraction of one percent of UBE victims report UBE to the responsible parties.) Second, present experience indicates that in the pursuit of financial gain large numbers of SPs lack Acceptable Use Policies (AUPs) or fail to enforce same against abusive customers, despite ample notice from abuse victims. Such SPs cause serious damage to the Internet, because they operate on the Environmental Polluter business model in which stockholders profit from pollution while their victims pay the costs. This business model is no more acceptable on the Internet that it is for industrial firms dumping chemical pollutants into the nearest stream. Therefore this Practice requires that all IR users and custodians shall grant reasonable time for abuse-enablers to reform their behavior, after which steps third and fourth MUST ensue subject to prior investigation by the IR custodian as to the accuracy of the abuse complaint. Reasonable time in this context shall be based on common sense. - For abuse of e-mail accounts and domain names, the target for corrective action shall be four hours with a 36-hour maximum. Any failure by management of the abused IR to meet this goal shall, barring exceptional circumstances, be prima facie evidence that the organization operates on the Environmental Polluter business model, since technical means exist to take corrective action within four hours, and many well-run SPs now do so. Faster response is permitted and encouraged provided it is not susceptible to errors from mistaken reports or malicious identify theft (colloquially "joe jobs"). - For defective database information, the registrar shall notify the registrant of the defect within 24 hours and require compliance within 15 calendar days. - For an issue requiring a provider to adopt system-wide technical or management changes, 30 days shall be considered reasonable, unless facts clearly suggest a longer or shorter period. COST IS NEVER PERMITTED TO JUSTIFY FAILURE TO IMPLEMENT ANTI-ABUSE MEASURES (since allowing such justification would legitimate the Environmental Polluter business model). Third, in default of action, affected users or IR custodians MUST publish an Admonishment privately to the defaulting body, and publicly in any appropriate medium making this a public archival record. Suitable media are archived newsgroups and websites including the user's or custodian's own website. For this purpose a link or heading shall be created titled "Bodies Currently Defaulting under Best Current Practice for Duty of Care of Internet Resources". Fourth, bodies in the Admonishment stage MUST proceed to Enforcement stage not later than 30 days after publication of the Admonishment. Enforcement shall consist, as appropriate to the body involved, of: - Limiting or withdrawal of peering or hierarchical connectivity - Limiting or withdrawal of resources (e.g. including but not limited to IP address space or domain names, routing announcements, SWIP assignments, forward and reverse DNS) - Limiting or withdrawal of authority over IR (e.g. authority to delegate IP addresses) - Limiting or withdrawal of authority to register domain names In the event that the IR custodian elects to limit as an initial enforcement step against a refractory admonishee, it is the expectation of this Practice that the limiting will proceed to a total withdrawal of resources if the admonishee remains in default after 90 days. While common sense and good judgment must be used, the process must reach finality or the enforcement mechanism will fail for lack of credibilty. In fact experience with blocklisting of UBE by major peers universally shows that the mere threat of withdrawal of connectivity causes refractory SPs to remove abusers from their networks within hours. The failure of major SPs now to do so arises entirely from their profit motive in the face of lack of any credible simultaneous loss of connectivity as is to be established in this Practice. Enforcement via withdrawal of IR should proceed with consideration and ingenuity, in general by escalation moving from a small withdrawal to incrementally larger volumes of IR according to the metric appropriate to the IR type. In the case of SPs, withdrawal or blockage should start with the offending SP's corporate or management mail servers, which has proven repeatedly to gain attention of management without unduly affecting customers. However some level of collateral damage affecting end-users of refractory SPs may in practice be necessary, since it is well known in the industry that some abusive managements listen attentively to their own customers while serenely ignoring the shrieks of their victims. Such IPs use their customers as "human shields", pleading for a relaxation of blocking. Such behavior and such pleas are forbidden under this Practice. RIRs shall establish (to the extent not yet existing) procedures to de-authenticate address space and AS assignments so that withdrawn resources cannot continue to be used after withdrawal of authority. It is foreseen under this Practice that SPs will have the primary enforcement responsibility against abusers; RIR responsibility will be limited to action against delegatees of IP address space operating on the Environmental Polluter business model by allowing open relays, abusable proxies and scripts and the like, and by not responding decisively to abuse complaints. It is anticipated that the penalty of IP address space withdrawal will have to be used rarely if at all once the existence of this sanction is promulgated, and the RIRs will become involved as enforcers only in cases of prolonged tortious conduct (on the order of several weeks). 4. Accountability and Record-keeping Considerations All organizations operating IR shall specify in their business process document the business units and persons responsible for implementing this Practice. Records shall be retained in sufficient detail and for sufficient period to be probative in litigation. Subject to local privacy statutes, information on abusers shall be publicly available. 5. Legal Considerations Transitionally all custodians of IR MUST implement this Practice using best efforts even in the absence of binding language with peers and customers. However contracts MUST be worded to conform to the requirements of this Practice as they are renewed, amended or newly issued. Additionally contract language MUST clarify that Internet Protocol addresses, whether delegated from a registry or dynamically or statically assigned to an end-user, are not the property of the delegatee or the user but are entrusted during good behavior and may be withdrawn instantly for abuse. No cause of legal action shall exist against any party for obedience to this Practice. Failure to observe this Practice upon notice shall give rise to a presumption that the party involved is either negligent or a witting accessory to the abuse, according to the facts. In adjudicating litigation Courts are invited to interpret facts in light of this Practice when considering elements of negligence or intention. Failure to publish an AUP in accordance with this Practice, or to enforce such an AUP when published, shall be deemed tortious conduct to the extent such lack results in injury to anyone. In the event that any part of this Practice conflicts with law in any jurisdiction, only such part shall be deemed non-binding in that jurisdiction. 6 Security Considerations [text coming] 7. Definitions 7.1 Internet Resources (IR) shall mean - IP addresses and domain names - mail server hardware - mail server software - routing, naming and addressing mechanisms, databases and software 7.2 UBE shall mean - messages, regardless of content, sent in multiple similar or identical copies to recipients who did not request to receive such messages from their sender. In deciding whether a transmission shall be deemed UBE, common sense shall be applied encompassing the totality of facts knowable about the transmission including subject line, actual content, source of addresses, falsification of message parts, use of promiscuous relays or proxies or other abusable resources, obfuscation of return path or true identity of sender, and history of sender's previous abuse as recorded in any accessible database. 7.3 Abuse shall mean - transmission of UBE, virus, worm, or Trojan program - promoting a website by transmission of UBE - operation of a mailing list failing to verify that target addresses result from genuine applications, failing to delete bounces or failing to honor unsubscribe requests - enablement of promiscuous relay or proxy, or abusable script - conduct of Denial of Service attack - failure to enable or operate Postmaster or other defined role accounts per RFCs 2142 and 2821 - refusal to accept e-mailed complaints of e-mail abuse - continuing to attempt transmissions after a 5xx reply as defined in RFC 2821 - announcing a non-delegated route or other fraudulent use of IP address space (including use in headers of IANA-reserved IP addresses or DNS information) - transmission of packets without valid source IP address - failure of an IR custodian to prevent abuse of its IR by the procedures described in this Practice - any other action, preventable by sound management or engineering practice, resulting in injury to IR users or custodians. A single injurious incident shall not be deemed abuse. Abuse shall be deemed a pattern of offensive behavior by one knowing or having reason to know of its abusive character. IR custodians shall evaluate single incidents with discretion, with a view to reform or education, but shall adopt a zero-tolerance, hair-trigger response to any abusive pattern of behavior. (However due care must be exercised to differentiate mistaken reports or malicious identify thefts, colloquially "joe jobs".) 8. Glossary AUP Acceptable Use Policy IR Internet Resources SMS Short Message Service SP Service Provider UBE Unsolicited Bulk Electronic-messaging meant to include e-mail, SMS, Instant Message, browser popups and the like 9. Normative References RFC 2119 Informative References [1] RFC2505 [2] RIPE Document ID: ripe-206 [3] [4] [Original story published 31 July 2000 by Internet News at [5] http://www.monkeys.com/spam-defined/ 9. Author's address Jeffrey Race 20 Chester Street Somerville MA 02144-3005 USA Telephone +1 617 625-7645 Telefax +1 617 623-1882 10. Pre-release revision history V 1.01 December 12, 2002 Original text privately circulated V 1.10 January 1, 2003 Substantial revisions and additions from internal resources; privately circulated and queried to OT newsgroups V 1.2 January 8, 2003 Substantial revisions and additions from internal resources and IETF documents; initial reformatting. Queried Spam-L V 1.3 February 12, 2003 Retitle from "Universal Standard" to "Best Current Practice"; substantial textual revisions and additions from comments received from RIPE list. Further reformatting. Submitted to RIR lists for comment. V 1.32 February 28, 2003 Add cautionary header . Add abuse category Rearrange categories of anti-pollution measures Minor textual fixes V 1.33 March 5, 2003 Incompletely reformat per Add abuse category Current draft available at .