| Ref # |
Principle or Proposed Principle
|
| ISP001 |
Internet Service Providers should include
in their Terms of Service / Acceptable Use Policy a strongly worded
antispamming provision, covering prohibitions against any involvement
in spamming - including but not limited to:
- Sending unsolicited bulk/commercial email
- Receiving responses by any means (email,
http, or otherwise) from unsolicited bulk/commercial email sent via any
other provider.
with violation resulting in immediate account termination without
further warning, and the imposition of a "cleanup" fee. (For the sake
of example and recommendation only - $US1,000-00 .) |
| ISP002 |
Internet Service Providers should include
in a Privacy Statement (which should be readily and easily accessible
at the website of the Internet Service Provider) strong privacy
provisions, including clauses stating that:
- Personal information, including email
addresses, acquired by the Internet Service Provider in the course of
their business will never be sold, rented, swapped or in any other way
provided to third parties (other than as an integral part of the sale
of the business as a going concern);
- That the Internet Service Provider itself
will never use personal information, including any email address, for
any purpose for which the Internet Service Provider has not received
clear, express, prior, optional and voluntary consent of the person
about whom the personal information pertains - and that such consent
may be easily revoked by that person at any time.
|
| ISP003 |
Internet Service Providers should maintain
an adequately and competently staffed abuse desk on a 24 hour, 365 day
per year basis. The abuse desk contact details should be readily and
easily accessible on the website of the Internet Service Provider, and
also listed with the Network Abuse Clearinghouse at http://abuse.net |
| ISP004 |
Upon receipt of an evidence-based abuse
report, the abuse desk of the Internet Service Provider should
investigate the complaint and take action within two (2) hours. If the
complaint is valid, the account should be terminated immediately. If
the complaint cannot be properly investigated within two (2) hours, the
account should be temporarily suspended while the investigation
continues. All complainants should be sent a reply stating the outcome
of the investigation and the action taken. |
| ISP005 |
Internet Service Providers should ensure
that all mail servers under their control or management be properly and
securely configured to prevent unauthorised relaying of email. |
| ISP006 |
Internet Service Providers should not
knowingly distribute unsolicited emails, or emails reasonably suspected
of being unsolicited, to their users, and should institute multiple
forms of filters to prevent such distribution. Filters should as a
minimum be a combination of "known phrase" (or similar), Open Relay
Filters, and Known Rogue IP filters. |
| ISP007 |
Internet Service Providers should place a
strict limit on the number of recipients to whom any single email being
sent from their service may be sent. (For the sake of example and
recommendation only - Max. 20 recipients.) Clients of the ISP may apply
to the ISP for a raised limit, though before being granted the Internet
Service Provider must satisfy itself that the user has a legitimate
need for a raised limit. |
| ISP008 |
Internet Service Providers should place a
cap on the volume of outgoing mail which may be sent from any one
account in any given time period. (For the sake of example and
recommendation only - 50 in any one hour period and 250 in any 24 hour
period.) Clients of the ISP may apply to the ISP for a raised limit,
though before being granted the Internet Service Provider must satisfy
itself that the user has a legitimate need for a raised limit and has
acquired the email addresses of recipients in an ethical manner. |
| ISP009 |
Internet Service Providers should prevent
the use of their accounts being used as "drop boxes" for spam replies
by placing a strict limit on the number of emails any one account may
receive in any given time period. (For the sake of example and
recommendation only - Maximum of 30 in any one hour period.)
Accounts breaching the set threshold should be automatically suspended
pending investigation. Investigation should be completed within two (2)
hours of the triggering of the automatic suspension. If the breach is
innocent, the suspension should be removed. If evidence of "drop box"
activity is clear, the account should be terminated and the details
provided to the Internet Service Provider's legal counsel and Debt
Collection Agency for appropriate action. |
| ISP010 |
Every connection via a Dialup provided by
the Internet Service Provider should log the Calling Number
Identification / Automatic Number Identification of the user. Terms of
Service should include a clause that customers must have CNI (or it's
synonymous name in various parts of the world) must be enabled in order
to use a dialup connection. The ISP should also maintain a connection
filter to ensure that upon dialup, the calling number can be logged. If
it cannot be logged, such as when the user has disabled the feature on
his/her line, the connection should be refused. In the event of account
termination due to spamming involvement, the logged CNI should be added
to the connection filter, barring that number from accessing
connections for a period of twelve months. |
| ISP011 |
In the event that an Internet Service
Provider has been fraudulently associated with a spam (via mention of a
non-existent email account as a return-path, for example), the Internet
Service should take all available measures to identify the perpetrator
and pursue all possible legal remedies. |
| ISP012 |
IP Numbers associated with an Internet
Service Provider should resolve in such a way as to provide meaningful
information to the complainant who is tracing the IP number of not only
the immediate provider of the spammer/abuser, but also the geographical
location of the server. |
| ISP013 |
Internet Service Providers should take all
available measures to intercept and destroy all outbound emails which
the sender is attempting to relay through any unsecured/open server.
This should be done without limiting the ability of a user from
accessing a secure server at a third party for which they have
legitimate access rights. |
| ISP014 |
|
| ISP015 |
|
