[OT] Good Anti-Spam Boilerplate


After some senseless Googling, I'm at a loss. I'm looking for a very
comprehensive, up-to-date example of an AUP that covers spam. When I say
"modern", I mean that I want it to include not just direct spamming, but
abuse of remote open-relays, abuse of remote trojaned boxes, sending
through a third party that circumvents the local AUP, etc. Some good
definition of "requested email" would be great - ie: double opt-in, or
single opt-in with some documentation that the user requested the mail on
a web form or similar.

Some language that covers penalties would also be helpful, such as
equipment seizure for non-payment of penalties.

Please reply privately and I'll summarize. I do not wish to get into any
debates about what qualifies as spam on this list.



After some senseless Googling, I'm at a loss. I'm looking for a very
comprehensive, up-to-date example of an AUP that covers spam. When I say
"modern", I mean that I want it to include not just direct spamming, but
abuse of remote open-relays, abuse of remote trojaned boxes, sending
through a third party that circumvents the local AUP, etc. Some good
definition of "requested email" would be great - ie: double opt-in, or
single opt-in with some documentation that the user requested the mail on
a web form or similar.

Some language that covers penalties would also be helpful, such as
equipment seizure for non-payment of penalties.

Please reply privately and I'll summarize. I do not wish to get into any
debates about what qualifies as spam on this list.

Replying to myself here...

Thanks to everyone. I'd missed the spamhaus "spam definition" which will
be very helpful in wording a few things. And the prize for "best TOS"
goes to Steve Sobol from "justthe.net". This one is great:


I especially like the pdf generator. :slight_smile:

Now I'll have to see what the lawyer thinks.

Thanks again everyone,


After some senseless Googling, I'm at a loss. I'm looking for a very
comprehensive, up-to-date example of an AUP that covers spam.

You might want to ask this question at a place like

First of all, it's a legal problem and the above blog
is a place where lawyers hang out, but they seem to focus
on the boundaries of technology and law which is where
the SPAM AUP issue sits.

There are probably other such blogs, lists, sites and so
on where you can get ideas from people with knowledge of law.

--Micael Dillon

I'm not sure I'd agree. Having an AUP that is enforcable in the way in
which you want to enforce it is very much an operational and policy
issue. You should have a lawyer check it over, as with any contract,
to ensure that you are defended legally should that ever be an issue,
but it's primarily a tool for your abuse staff to use.

Because of that, it's also unlikely that copying someone elses AUP
wholesale is going to be terribly appropriate, unless their business
model is fairly similar to yours (end-user vs web host vs bandwidth
provider vs colo...). It's well worth looking at others for concepts
and phrases to steal, but be very cautious of copying one that may
not be appropriate for the issues your abuse desk needs to handle.

You also need an internal, unpublished, policy document. It's pretty
much impossible to create an AUP that is specific enough to forbid
what you want forbidden and yet allow all legitimate use. The best
AUPs state your "philosophy" on acceptable use and your policies in
broad terms that don't try to be too specific and are overbroad in
that they forbid too much. Then selective enforcement by the abuse
staff allows you to implement the policy you actually need. That needs
a fairly competent abuse staff, and to provide some consistency in
handling issues they need their own policies and procedures. Writing
the first version of those down up-front gives you a good framework
to both make it clear what your intent is in drafting the AUP to
existing abuse staff and to help in bringing someone new in to
help with abuse work.
