BestPrac.Org

Stop Spam : Best Practice in Email
Spam Prevention and Eradication


Principles of Best Practice -
Third Party Script Hosting Services:

Summary

CGI scripts or other types of scripts hosted by third parties (often for a fee, or more commonly in return for advertising rights) are a commonly exploited service by spammers.

They help to provide anonymity and disguise the true source or destination of communications sent or replies received.

People offering such services need to have suitable spam control practices in place to block spam, trace and report spam to other service providers, and to generally prevent their services being attractive to spammers.

Ref # Principle or Proposed Principle
3SH001  Third Party Script Hosting Services should maintain an adequately and competently staffed abuse desk on a 24 hour, 365 day per year basis. The contact details for the abuse desk should be readily and easily accessible on the website of the Third Party Script Hosting Service, and also listed with the Network Abuse Clearinghouse at http://abuse.net
3SH002  Third Party Script Hosting Services should ensure that their Terms of Service include a strong antispam clause, including but not limited to prohibiting:
  • Sending unsolicited bulk/commercial email
  • Receiving replies from unsolicited bulk/commercial emails sent from any other service provider
  • Using scripts on any website promoted in unsolicited bulk/commercial emails
  • Using scripts in any HTML-format email sent unsolicited
  • Or in any other way used directly or indirectly in connection with unsolicited communications, or aiding the promotion of spamming, spamming tools or services
with violation resulting in immediate account termination without further warning, barring the offender from future use of the service, and reporting of the violation and termination to the email and other service providers known or believed to be used by the offender.
3SH003  Third Party Script Hosting Services, in their Privacy Statements, should reserve the right to pass on all information regarding breaches of their Terms of Service to any other service provider known or believed to be used by the offender.
3SH004  Upon receipt of an evidence-based abuse report, the abuse desk of the Third Party Script Hosting Service should investigate the complaint and take action within two (2) hours. If the complaint is valid, the account should be terminated immediately. If the complaint cannot be properly investigated within two (2) hours, the account should be temporarily suspended while the investigation continues. All complainants should be sent a reply stating the outcome of the investigation and the action taken.
3SH005  Where an account termination per 3SH004 occurs, the Third Party Script Hosting Service should lodge abuse reports with the email and service providers of the offender, advising them of the offence, providing evidence thereof, and requesting the termination of all accounts and services associated with the offender.
3SH006  Scripts provided by Third Party Script Hosting Services should never require the user to place their email address within the HTML of their web/email page in order for the script to work.
3SH007  Third Party Script Hosting Services should verify the authenticity of all email addresses used by their customers within scripts. This may be done using a method akin to the confirmed-opt-in (sometimes referred to as 'double-opt-in') procedures of mailing lists prior to a script becoming functional.
3SH008  Third Party Script Hosting Services should prevent the use of their accounts being used as "drop boxes" or for redirection to "drop boxes" for spam replies by placing a strict limit on the number of emails any one account may receive in any given time period. (For the sake of example and recommendation only - Maximum of 10 in any one hour period.)

Accounts breaching the set threshold should be automatically suspended pending investigation. Investigation should be completed within two (2) hours of the triggering of the automatic suspension. If the breach is innocent, the suspension should be removed. If evidence of "drop box" activity is clear, the account should be terminated and evidence of IP and other identifying data of any person trying to access the account recorded and abuse reports lodged to the offender's ISP.
3SH009  Where a Third Party Script Hosting Service provides scripts for interactive forums (including but not limited to chat rooms, message boards, classified advertisements, guest books, and similar), the Third Party Script Hosting Service should ensure that the privacy of the email addresses of all users is protected, by non-publication of such email addresses (except where the user has voluntarily added their email address in the body of their message/s).
3SH010 
3SH011 
3SH012