| Ref # |
Principle or Proposed Principle
|
| ISP001 |
Internet Service Providers should include in their Terms of Service / Acceptable Use Policy a strongly worded antispamming provision, covering prohibitions against any involvement in spamming - including but not limited to:
- Sending unsolicited bulk/commercial email
- Receiving responses by any means (email, http, or otherwise) from unsolicited bulk/commercial email sent via any other provider.
with violation resulting in immediate account termination without further warning, and the imposition of a "cleanup" fee. (For the sake of example and recommendation only - $US1,000-00 .)
|
| ISP002 |
Internet Service Providers should include in a Privacy Statement (which should be readily and easily accessible at the website of the Internet Service Provider) strong privacy provisions, including clauses stating that:
- Personal information, including email addresses, acquired by the Internet Service Provider in the course of their business will never be sold, rented, swapped or in any other way provided to third parties (other than as an integral part of the sale of the business as a going concern);
- That the Internet Service Provider itself will never use personal information, including any email address, for any purpose for which the Internet Service Provider has not received clear, express, prior, optional and voluntary consent of the person about whom the personal information pertains - and that such consent may be easily revoked by that person at any time.
|
| ISP003 |
Internet Service Providers should maintain an adequately and competently staffed abuse desk on a 24 hour, 365 day per year basis. The abuse desk contact details should be readily and easily accessible on the website of the Internet Service Provider, and also listed with the Network Abuse Clearinghouse at http://abuse.net |
| ISP004 |
Upon receipt of an evidence-based abuse report, the abuse desk of the Internet Service Provider should investigate the complaint and take action within two (2) hours. If the complaint is valid, the account should be terminated immediately. If the complaint cannot be properly investigated within two (2) hours, the account should be temporarily suspended while the investigation continues. All complainants should be sent a reply stating the outcome of the investigation and the action taken. |
| ISP005 |
Internet Service Providers should ensure that all mail servers under their control or management be properly and securely configured to prevent unauthorised relaying of email. |
| ISP006 |
Internet Service Providers should not knowingly distribute unsolicited emails, or emails reasonably suspected of being unsolicited, to their users, and should institute multiple forms of filters to prevent such distribution. Filters should as a minimum be a combination of "known phrase" (or similar), Open Relay Filters, and Known Rogue IP filters. |
| ISP007 |
Internet Service Providers should place a strict limit on the number of recipients to whom any single email being sent from their service may be sent. (For the sake of example and recommendation only - Max. 20 recipients.) Clients of the ISP may apply to the ISP for a raised limit, though before being granted the Internet Service Provider must satisfy itself that the user has a legitimate need for a raised limit. |
| ISP008 |
Internet Service Providers should place a cap on the volume of outgoing mail which may be sent from any one account in any given time period. (For the sake of example and recommendation only - 50 in any one hour period and 250 in any 24 hour period.) Clients of the ISP may apply to the ISP for a raised limit, though before being granted the Internet Service Provider must satisfy itself that the user has a legitimate need for a raised limit and has acquired the email addresses of recipients in an ethical manner. |
| ISP009 |
Internet Service Providers should prevent the use of their accounts being used as "drop boxes" for spam replies by placing a strict limit on the number of emails any one account may receive in any given time period. (For the sake of example and recommendation only - Maximum of 30 in any one hour period.)
Accounts breaching the set threshold should be automatically suspended pending investigation. Investigation should be completed within two (2) hours of the triggering of the automatic suspension. If the breach is innocent, the suspension should be removed. If evidence of "drop box" activity is clear, the account should be terminated and the details provided to the Internet Service Provider's legal counsel and Debt Collection Agency for appropriate action.
|
| ISP010 |
Every connection via a Dialup provided by the Internet Service Provider should log the Calling Number Identification / Automatic Number Identification of the user. Terms of Service should include a clause that customers must have CNI (or it's synonymous name in various parts of the world) must be enabled in order to use a dialup connection. The ISP should also maintain a connection filter to ensure that upon dialup, the calling number can be logged. If it cannot be logged, such as when the user has disabled the feature on his/her line, the connection should be refused. In the event of account termination due to spamming involvement, the logged CNI should be added to the connection filter, barring that number from accessing connections for a period of twelve months. |
| ISP011 |
In the event that an Internet Service Provider has been fraudulently associated with a spam (via mention of a non-existent email account as a return-path, for example), the Internet Service should take all available measures to identify the perpetrator and pursue all possible legal remedies. |
| ISP012 |
IP Numbers associated with an Internet Service Provider should resolve in such a way as to provide meaningful information to the complainant who is tracing the IP number of not only the immediate provider of the spammer/abuser, but also the geographical location of the server. |
| ISP013 |
Internet Service Providers should take all available measures to intercept and destroy all outbound emails which the sender is attempting to relay through any unsecured/open server. This should be done without limiting the ability of a user from accessing a secure server at a third party for which they have legitimate access rights. |
| ISP014 |
|
| ISP015 |
|