OECD Task Force on Spam


menu home page Law & regulation enforcement industry initiatives technical solutions education & awareness international cooperation statistics & data news to contribute members login OECD spam home Home page > ...

Anti-Spam Toolkit of Recommended Policies and Measures - Executive Summary

Latest update : 19th April 2006

EXEC-SUMMARY

In view of the wide impact of spam, and the potential for further problems as a result of the convergence of communication technologies and the emergence of ubiquitous communications and mobile Internet, the OECD brought together policy-makers and industry experts in the OECD Task Force on Spam (hereinafter, the “Task Force”) to develop a framework aimed at tackling spam using a broad multi-disciplinary range of solutions.

The Task Force developed the Anti-Spam Toolkit (the “Toolkit”), which recommends a range of policies and measures which should be key elements of a comprehensive public policy framework for addressing the problem of spam. These policies and measures are summarised below. Status and evolution of spam 3. In order for electronic communication platforms, applications and services to contribute to economic and social development, they must be reliable, efficient and trustworthy. Today, however, e-mail and other electronic communication tools, and consequently users’ trust and confidence in these tools, may be threatened by unsolicited, unwanted, and harmful electronic messages, commonly known as spam.

Spam, which began as electronic messages usually advertising commercial products or services, has evolved over the past few years, and to simple advertising messages have been added messages that are potentially dangerous, which can be deceptive, may cause network disruptions, may result in some form of fraud and which are used as a vehicle for spreading viruses and other malware.

A consistent and co-ordinated approach to spam

There is not a simple solution to stop spam. The openness and decentralised nature of the Internet, which are the main reasons for its success, have also created the conditions leading to a number of vulnerabilities that are increasingly exploited by spammers and other online offenders. The lack of centralised control enables users to hide their identity. In addition, the low cost of accessing Internet and e-mail services allows spammers to send out millions of spam messages every day at an extremely low marginal cost so that only a small response rate is required to attain high profits. However, in combating spam and other online threats it is viewed as important to maintain the openness, flexibility and innovation underlying the Internet.

In this context, the Task Force, at the beginning of its mandate, had to decide on the appropriate action to take and the roles of the different stake-holders in fighting spam. There was consensus that Governments should work to establish clear national anti-spam policies in concert with other players, collaborate with the private sector, and promote co-operation across borders. It was also agreed that to fight spam it was important to set up domestic co-ordination groups, and create appropriate regulatory frameworks, based on well defined policy objectives and backed by effective enforcement mechanisms. It was recognized that the private sector has the lead role for the development of relevant business practices and innovative technical solutions, and can greatly contribute to the education of users. Co-ordination and co-operation among public and private players is critical to achieve results in eradicating spam.

In this context, the OECD Task Force on Spam developed the concept of an Anti-Spam Toolkit, with the objective to provide OECD members with a comprehensive policy orientation and consistent framework in their fight against spam. There was a conviction that this framework would also be applicable and useful for non-OECD countries. The Toolkit is composed of eight  inter-related elements, addressing:

Regulatory approaches: The development of anti-spam legislation that tackles spam and related problems is fundamental. Legislation should notably set clear directions on what is allowed and what is not allowed.

Enforcement concerns: While having the appropriate legislation is indeed necessary, implementation and application of the law is fundamental. The timeliness and speed in taking enforcement action and applying sanctions is crucial, if spam is to be effectively curbed, and traditional enforcement procedures which can take several weeks or months are not fully effective in the online world. Particular attention in the context of spam should be given to national co-ordination, sanctions, empowerment of enforcement authorities, and cross-border enforcement co-operation.

Industry driven initiatives: In order to appropriately deal with spam, domestic anti-spam laws should be coupled with private sector initiatives.

Technical solutions: Anti-spam tools operate at many levels – at the point of origination of e-mail, in the backbone network, at the gateway and on the recipient computer – and may be used alone or in combination. Any attempt to combat spam effectively must involve the sensible application and administration of a number of these technological tools and methods as well as factors to consider prior to their implementation. No method will be entirely successful in isolation. When a number of anti-spam technologies are effectively used in collaboration with one another, the effect can be to drastically reduce the level of spam impacting a system.

Education and awareness: A comprehensive anti-spam strategy must ensure that the end-user, who is the final recipient of spam, the possible victim of viruses and scams, and, at the same time, the person who has control over their computer and personal information, is sufficiently educated and aware of how to deal with spam and other online threats. Education and awareness raising activities are needed in large enterprises, small and medium enterprises, for residential users and in education establishments. They must aim to create a culture of security, and encourage a responsible use of cyberspace.

Co-operative partnerships against spam: There is a common interest by public and private players in preserving the availability and reliability of communication tools to promote the development of the digital economy. Public-private sector co-operation is taking place in a number of innovative ways. The objectives of strategic partnerships are usually awareness raising activities and information sharing. More operational partnerships also contribute to education, development (and application) of best practices and exchange of information and data on cross-border spam cases. In addition, as the various efforts taking place at national and international levels show, partnerships are a fundamental tool to improve communication, understanding of reciprocal needs, expectations and problems, and therefore allow further co-operation and mutual involvement.

Spam metrics: Measurement is key to evaluating the evolution of spam and the effectiveness of anti-spam solutions and educational efforts, to be able to determine the impact of national strategy, evaluate the results of its implementation, and eventually what changes are needed in policy, regulatory and technical frameworks.

Global co-operation (Outreach): Spam, as the Internet, knows no borders, and travels from and to developed and developing economies. In this context, global co-operation is fundamental to promote appropriate domestic frameworks to counter spam in all countries, and to encourage co-operation among governments, private sector, civil society and other stakeholders, in order to ensure the harmonized and widespread application of technical measures and the effective enforcement of applicable rules.

For each of the above elements, the Task Force recommended a number of policies and practices:

Back to the top

Element I. Regulatory approaches

The development of anti-spam legislation which tackles spam and related problems is fundamental.

National anti-spam regulation should attempt to:

  • Preserve the benefits of electronic communications by increasing user trust in the Internet and electronic messaging media and improve the availability, reliability and efficiency of services, as well as the performance of global communication networks.

  • Prohibit and take action against the act of spamming, as defined by national law. Legislation alone may not stop potential spammers from taking advantage of this marketing technique, however laws and regulations can have an impact by sanctioning against those individuals and organizations that choose to make use of spam and profit from it. The deterrent value of legislation will depend on sanctions, in particular in the certainty of their application.

  • Reduce the amount of spam. To prevent spam from being sent, activities need to be targeted at different stages, in order to reduce the volume of spam traversing networks, and reduce the number of spam received by end-users. 

To achieve these goals, legislation should conform to four general principles:

  • Policy direction: The legislation should provide a clear policy direction. The main lines and objectives of national and international anti-spam policy should be outlined at an earlier stage and need to underlie the entire governmental strategy.

  • Regulatory simplicity: The legislation should be short and simple.

  • Enforcement effectiveness: Enforcement is a fundamental issue, which, if not dealt with appropriately, can make a good piece of legislation useless. For this reason it is important to put in place an effective sanction regime and appropriate standards of proof. In addition, appropriate powers and resources need to be allocated for enforcement authorities.

  • International linkages: As spam is a cross-border issue, legislation should foresee appropriate international linkages, and provide national authorities with the possibility to co-operate in investigations and exchange information with foreign authorities (see below).

In reviewing best practices for legislation, the following elements should be included as far as possible, taking into account a country’s institutional and legal framework:

Issues Approach
Scope Services concerned Messaging format will merge or evolve, and unforeseen messaging media may arise.
Two possible legislative approaches can be adopted:
  • “Technology specific”: Target specific messaging technologies, usually those that pose a current spam problem.
  • “Technology neutral”: The regulatory instrument covers communication technologies in general, and is sufficiently flexible to encompass future changes in messaging technology without needing amendment. Real-time voice to voice services could be separately regulated.
Commercial purpose Consider whether legislation should only address commercial and transactional messages, or whether it should also address specific non-commercial content, such as political or religious messages.
Specific categories of messages can be expressly excluded from the scope of the law (ex. messages from academic institutions to their alumni).
Consent Consent The degree of consent or permission which legislators or regulators wish to require may vary depending on the approach to spam regulation. There are three major approaches to consent, which are often blended in the legislation:
Expressed: form of consent where an individual or organisation has actively given their permission to a particular action or activity (opt-in).
Inferred/implicit: consent which generally can be inferred from the conduct and/or other business relationships of the recipient.
Assumed consent: there is a presumption of consent until it is removed by the recipient, for example by “unsubscribing” (opt-out).
Requirements for legitimate marketing messages Unsubscribe address Messages should always include a functional opt-out facility, which allows the recipient to unsubscribe by indicating their wish not to receive in future further communications from the sending party.
This implies that a valid return address has to be included in e-mail, so that the recipient may easily unsubscribe. A postal address could also be required.
The lack of an opt-out facility, the absence of a valid return address and valid postal address, or the failure to cease the transmission of the messages within the period of time established by the law should be sanctioned.
Information about message origins A key challenge in the regulation of spamming and the enforcement of spam laws is to respond to the ability of spammers to obfuscate the origin of spam being sent:
  • Legislation needs to prohibit the sending of e-mails which falsify the origin or conceal header/ID information.
  • Legislation should also require that the marketer supporting the sender of e-mail should be clearly identified.
Not bulk Legislation may foresee that e-mail is classified as spam only if a certain number of messages have been sent in a given period of time (usually over 50-100 over 24 hours).
This element of course needs to take into account the fact that there is legitimate bulk e-mail (ex. newsletters, etc.).
Labelling Legislation may include a provision requiring the use of a specific label for e-mail containing advertising, pornographic material, etc.
Ancillary elements Person authorizing the sending of the spam or aiding/assisting the spammer The law should not sanction only the person physically sending the message, but also the person who commissioned or authorised the messages to be sent or who have gained financially through spamming activities.
This approach could facilitate enforcement, as it is often difficult to determine who actually sent the spam while it may be easier to determine the marketer benefiting from spamming activity.
Harvesting software and harvested address lists
Dictionary attacks 		Legislation may include specific provisions to levy additional sanctions if such tools are used to aid the sending of spam in contravention of the jurisdiction’s spam legislation: the act of selling, acquiring or using harvesting software or harvested address lists, or the automatic generation of recipients’ addresses may be sanctioned.
Cybercrime and content-related questions Illegal access Legislation should forbid the unauthorized use of protected computer resources. Anybody compromising computers in order to use them to send messages should be sanctioned.
Misleading or fraudulent content Focus on the content of the message. This leaves aside many of the systemic concerns regarding spam messages.
Spam scams and phishing are computer-related crimes, i.e. ordinary crimes that are frequently committed through the use of a computer system.
  • ­ Anti-spam legislation could include provisions on prohibiting misleading or deceptive subject heading; in addition.
  • ­ Spam legislation may cover the content of messages, in particular if anti-fraud laws, consumer protection legislation, etc. are not clearly drawn out.
Security threats Malware aspects of spam are often criminalised by statute or can be criminalised using the Council of Europe Convention on Cybercrime framework.
International element Cross-border jurisdiction Regulation should:
  • Specify that messages sent to or from the jurisdiction are covered, as well as messages commissioned from within the jurisdiction and financial benefits linked with spam.
  • Spammers who operate from national jurisdiction, even though they spam other countries, should be sanctioned by domestic legislation.
  • Domestic enforcement authorities should be empowered to undertake international cooperation and cross-border enforcement agreements are important.

The role of Internet Service Providers and e-mail service providers is also important, and could be considered in legislation. In particular:

Government and regulators should support the development of ISP codes of practice that complement and are consistent with legislation. Governments should encourage industry associations to develop such codes and adopt best practices where they are in the public interest and do not impose undue financial and administrative burdens on participants. Annexes II and III of the Final Report provide a best practice agreement developed by the Business and Industry Advisory Committee (BIAC) and the Messaging Anti-Abuse Working Group (MAAWG) in the context of the work by the Task Force on Spam.

Such codes, according to national practices and legislative provisions, could also be registered with the national enforcement agency where appropriate. This registration could enable the authority to require an industry participant to comply with the code in case the industry association does not succeed in doing so.

Legislation could also provide a comprehensive framework to support the activities of ISPs to block or limit the circulation of spam e-mail. ISPs should be able to take appropriate and balanced defensive measures to protect their networks, and should be allowed to take legal action against spammers. Similar results could be achieved through appropriate contractual provisions between ISPs and users.

Back to the top

Element II. Enforcement

Legislation needs to ensure that enforcement agencies have adequate powers in order to function effectively. Following the recommendation of the Spam Task Force an OECD Council Recommendation on Spam Cross-Border Enforcement Co-operation (Annex I) has been agreed to. On the basis of the recommendation, governments should improve their legislation in order to:

a) Establish a domestic framework of laws, enforcement authorities, and practices for the enforcement of anti-spam legislation.

b) Improve the ability of authorities to co-operate with their foreign counterparts, providing national bodies with the possibility to share relevant information and provide investigative assistance.

c) Improve procedures for co-operation, prioritising requests for assistance and making use of common resources and networks.

d) Develop new co-operative models between enforcement authorities and relevant private sector entities.

Back to the top

Element III. Industry-driven initiatives

In order to appropriately deal with spam, generally-applicable anti-spam laws should be coupled with self-regulatory initiatives undertaken by private sector players, such as Internet Service Providers and e-mail service providers, telecommunication operators, direct marketers, online operators, software companies, and their associations.

Private sector initiatives are an important part of the policy framework. The Task Force:

• Welcomes the efforts made by BIAC and MAAWG in drafting best practices and notes the results achieved so far (Annexes II and III).

• Encourages their continued development, including through dialogue with appropriate policy and regulatory bodies.

• Notes that best practices will evolve in light of regulatory, technical and commercial developments.

• Notes that in some jurisdictions there is scope for formal recognition of such best practices.

Providers of online services and goods should, in carrying out their activities, take action to develop:

• Corporatecommunication methods and standards which respect the privacy of their customers, carefully managing personal information and e-mail addresses. Company standards for websites, domain usage and e-mail messaging help protect users. Clear company e-mail policies—such as never asking for personal information or possibly never providing a clickable link in an e-mail—should be established and applied consistently. A company sending out e-mail to its customer may considerthe possibility to authenticate them or use digital signatures.

• Pre-emptive activities to create barriers to e-mail scams such as phishing should be considered. These include measures to make the company’s website less vulnerable to brand attacks by using clear domain name and defensive domain registration (e.g. register domain names which are similar to the company's own domain and may create confusion), website usage monitoring, control of "bounced" messages, monitoring of look-alike sites, etc.

• Consumer education and awareness, customer support. Online operators should communicate effectively with their customers. They should clarify which kind of communications can/will be sent by e-mail, define how e-mail addresses and other information may be accessed and modified by the user, specify that the user will never be asked to provide their personal data via e-mail, and list elements users need to verify in the message to be sure it is from the online operator.

Direct Marketers should:

• Adopt and effectively implement a code of conduct using best practices for electronic marketing, which include marketing messages sent by e-mail, instant messaging, or mobile. These associations, as well as associations of online operators, could have stricter relationships with ISPs and other network operators, to reduce the number of false positive, at the same time guaranteeing the legitimacy and fairness of their activities.

• Adopt best practices or codes of conducts should aim at facilitating and complementing the application of anti-spam legislation, at national and international levels. For this reason appropriate information about different legislative approaches should be provided by governments and associations.

The OECD Task Force notes that BIAC has developed a set of recommended best practices for e-mail marketing, attached as Annex III to the Final Report.

Internet Service Providers and other network operators should:

• Adopt and effectively implement self-regulation in the form of best practices and codes of conduct.

• Adopt and enforce Acceptable Use Policy (AUPs), which will forbid spamming, and related activities, on their networks. These policies would be part of a contractual agreement between the provider and the user; therefore their violation would result in a breach of contract, and allow the suspension of service and termination of the contract.

• Provide subscribers information about the availability, use and appropriate application of software for filtering spam and viruses. Filtering solutions and updates should be provided at a reasonable price, and links to open source anti-spam and anti-virus software should be indicated to users.

Governments should encourage national ISPs and other network operators to adopt and effectively implement recommended best practices. The OECD notes the recommended best practices for ISPs and other network operators which have been developed by BIAC and MAAWG and are available in Annex II of the Final Report

Mobile operators should adopt and effectively implement measures to reduce spam on their networks. The range of new services offered over mobile phone creates new spam-like problems for mobile users. Mobile operator measures should include contractual, technical and educational tools. The OECD Task Force notes the GSM Association best practices for mobile operators, which are attached to the Final Report as Annex IV.

Back to the top


Element IV. Technical Measures

Internet Service Providers and other network operators should constantly improve their knowledge and operating practices, and update their technical best practices, such as best practices for ISPs and other network operators mentioned in Element III, in order to face new challenges and technological evolution and promote the implementation and sharing of available technical solutions among providers. When a number of anti-spam technologies are effectively used in collaboration with one another, the effect can be to drastically reduce the level of spam impacting a system. Although important in reducing the volume of spam in inboxes, filtering by itself is insufficient to reduce the volume of spam originating on different networks so that a range of  technical solutions need to be implemented to achieve effective protection. 



Element V. Education and Awareness initiatives

Individual users:

Governments should:

  • Develop public information and awareness campaigns to educate end-users as to the products and services they are using and the associated risks they may face, thus allowing users to protect themselves from spam, viruses and other malicious codes. This information should be made available also on ISPs portals.

  • Organise nation-wide campaigns to enhance media attention and of the population at large.

  • Work with private sector, civil society and other interested parties on user education campaigns initiatives.

Given their ability to reach individual users on the web, ISPs and other network operators, including mobile operators, should use their company-customer communication channels (website, portals, sms, newsletters) to provide information to their customers on:

  •  How to avoid spam and risks connected with spam e-mails, SMS, MMS, etc.

  • Available anti-spam and anti-virus filter, open source solutions for the concerned platform.

  • Indications on how to report spam abuses to the ISPs or the user’s operator and to competent authorities, and

  • E-mail/phone contact to the provider abuse desk. 

Users’ groups:

  • Computer classes for senior citizens, also financed by the government or local authorities, should include information on computer security, and practical examples on how to avoid spam, online frauds, viruses and other malicious software.

  • Awareness on online threats and security issues should be part of students and children computer classes. Cartoons and comics could also be used to reach out to young users.

Large Companies and SMEs:

  • Companies: IT support should make available to new staff a pamphlet explaining the company’s security policy for e-mail, existing filters and best practices for dealing with spam and how to avoid being spammed. The same kind of information should be available on the internal website, and updates should be sent to users periodically.

  • Small-medium-sized enterprises: Commercial associations, ISPs and security software companies should provide SMEs specific information on simplified security management practices, training material, free open source software, etc. Examples and resource materials are available on the OECD Task Force Website at www.oecd-antispam.org.

The education of recipients is as important as the education of senders.  Regulators and business associations can play an important role in educating companies by disseminating information on how business can communicate with their clients using electronic messaging, such as e-mail, in a manner that complies with national legislation.

Direct marketing associations should inform their members of relevant anti-spam legislation in force in their country of origin and in the country of destination of the message. Online marketing best practices and informational WebPages should be developed and co-ordinated at the international level.

Back to the top


Element VI. Co-operative partnerships

Any anti-spam strategy should be developed and implemented in the context of public-private partnerships, with participation of representatives from the public and from the private sectors. Anti-spam measures will only be effective if the full range of players was involved in their elaboration, accept them (and their side-effects) and consider them appropriate to respond to their needs.

Recommended best practices, developed by industry associations, with the input of public authorities, should be adopted widely. Such OECD members welcome the adoption of these best practices should be widely disseminated and implemented. They should also be updated where appropriate and encourage their wider diffusion and implementation, as well as their updating to take into account a changing technological and service environment (see also Element 3).

Industry and enforcement authorities should co-operate in the enforcement of anti-spam legislation. In particular, ISPs and other network operators should be in contact with the authorities to signal possible cases of spam, and should be allowed to share with the same bodies information on spam activities in their network.


Element VII. Spam metrics

Governments and private sector players should monitor the impact of anti-spam measures, to assess their effectiveness. ISPs, other network operators, and national anti-spam agencies should, to the extent possible, share information and data on the intensity and scope of spam and its evolution. Measuring methods should be detailed and documented, in order to improve the legibility of the results obtained. In this context MAAWG developed its Email Metrics Program. The Task Force welcomes this initiative and encourages its continuation and development.

Back to the top


Element VIII. Global co-operation

The Task Force on Spam recommends that the Toolkit and the best practices noted in the present document should be made widely available to non-OECD economies as well as within OECD countries and its resources should be accessible to the largest possible number of people. In this context a web site has been developed by the Task Force, and is available at www.oecd-antispam.org. In order for the website to continue to be a useful and up to date resource, countries are urged to regularly provide contribution, material, and news information on their national anti-spam initiatives.

OECD member countries should promote and facilitate anti-spam activities in other countries, through partnerships – bilateral or multilateral arrangements, information sharing, etc. – in order to help in the development of appropriate anti-spam legislation, support the implementation of technical solutions and the diffusion of educational tools and resources.

Back to the top
About | Contact us | Terms & conditions | Privacy policy
© OECD. All rights reserved. Web site developed by the MDD with Spip 1.7.2 and Exalead.
news page d'accueil lois & regulation mise en oeuvre des lois Industry initiatives solutions techniques Education & sensibilisation cooperation internationale participer actualités accès réservé Site de l'OCDE