[printfriendly]
1 About This Document
1.1 Introduction
The purpose of this document is to provide an overview of Knight Web Services® Inc.’s Abuse Department policies and procedures. The procedures outlined in this document pertain to general procedural methods as well as procedures regarding abuse event detection, response & notification details.
2 In Scope
2.1 Out of Scope
High Level Security and Network Security Issues are not within the scope of this document.
2.2 Audience
This document is intended for use by the Knight Web Services® Inc. Abuse Team, Knight Web Services® Inc. Technical Support and Customers.
3 Document Details
3.1 Overview
Section 4 will provide an overview of our Anti-Abuse systems, policies and procedures. Section 5 will provide common abuse scenarios, our response to these cases, and any special notes on notification and/or escalation procedures.
4 Abuse System Summary
4.1 Email Abuse Issues
4.1.1 Inbound RBL Blocks
Our first line of defence against spam is the use of DNS Real-Time Blacklists (RBLs). These block connections from IPs that have been identified as spam sources by our systems or by trusted external data sources. Our RBL roster has been carefully selected, tested and tuned to reduce the probability of unintended blocking of legitimate mail (false positives).
An email that is blocked because it originated from a blocked IP will result in the following error:
H:ABC 1.2.3.4 Connection Refused Due to Abuse
Where “ABC” is a code which identifies which list was used to determine that the connection should be blocked, and where 1.2.3.4 is the IP address that was blocked.
Our public facing Postmaster Team is available 24/7 to assist outside senders who are having difficulties sending to our system. Our abuse and postmaster contact addresses are not subject to RBL based blocking, so an IP that is blocked from sending to our platform will still be able to reach us for help.
Additionally, Knight Web Services® Inc.’s Support and client Relations teams can escalate these types of issues if they are brought forth by the client.
If an RBL block is encountered, the user should provide us with the bounce back error message that was encountered, including the IP address that was blocked. For detailed escalation instructions, please see the “Inbound RBL False Positive Remediation” section. For a list of the whitelists and blacklists currently in use, please view Appendix A.
4.1.2 Inbound Spam Filtering
Our spam filters work at the account level. Users can customize the strength and delivery options associated with our filters to meet their particular needs.
We use the Cloudmark Anti-Spam solution, which is an industry leader in spam filtering.
Strength options include Light, Standard and Aggressive. Delivery options include Quarantine (Send to Junk), Tag & Deliver (Send to Inbox) and Delete. Users also have the option to turn off the spam filters entirely. The Abuse Department recommends using standard strength filtering, and quarantining junk mail. Users should also review their mail for inappropriately classified messages and report these to us.
In our webmail client, users can easy report misclassifications to us by highlighting the message and clicking on the JUNK button (false negatives) or clicking on the NOT JUNK button (false positives). These buttons will also move the message into the correct folder (inbox or junk).
For email client users, you can also report misclassifications manually in RFC822 format as MIME attachments. This preserves the email header information that Cloudmark requires. Please do not send misclassified messages by using the Forward command; this strips them of essential header information.
Knight Web Services® Inc. has set up email addresses for feedback submission. Typically, they are available as abuse@knightwebservices.com.
See Appendix B for further information about reporting messages manually.
4.1.3 Outbound Threshold System
In order to maintain the integrity of our outbound mail systems, limits are placed on sending. These thresholds are dynamic and configured by administrators according to industry standards. If an account exceeds the daily threshold, a temporary block will be placed against the account and a sample of their outbound content will be reviewed by the Abuse team. If the content is found to be spam or fraud related, a persistent block will be placed on the account and a notification will be sent to the client. In cases where a legitimate end-user account has been compromised and used to send spam, we request that the client computer/network be scanned for malware and viruses, and we require that the account’s password be changed before we unblock the account. A user who has a legitimate need to send beyond the daily limit can request whitelisting status. To grant this status, we must first vet the user’s mailing practices. A brief questionnaire is sent asking questions that will help us determine if it is safe to allow this user to send. Details of our whitelisting procedures are included in Appendix C.
4.1.4 Outbound Filtering
To maintain the reputation of our outbound mail servers, Knight Web Services® Inc. has two spam filters which outbound mail traffic must pass through before being sent to the outside world. One of these filters is provided by Cloudmark, the provider who provides us with our inbound mail filtering solution, the other filter is provided by Commtouch, who provides a filter specifically designed for outbound mail. Unfortunately, sometimes these spam filters will tag legitimate emails and prevent our users from sending them out. To illustrate how this may happen, we can review the following scenario: One of our users sends out an email to a fairly large amount of recipients, including their website URL and phone number in a signature. When users on other mail systems receive this mail, they may perhaps mark it as a spam message. Our filters will tap into a global data network of spam, learn that users are marking messages that contain this URL or phone number in the message, and then block all messages containing those elements. If our outbound spam filters have tagged a message mistakenly, the user will receive an error message. The error will either be inline (a pop-up error in their mail client) or a bounce back error generated by our systems. The error is “This message has been blocked due to SPAM-like characteristics. Please contact support for assistance.”. The error will also contain an alpha numeric string which identifies the unique message (ESMTP Stamp). The Knight Web Services® Inc. Abuse Team can use this stamp to look up why the message was blocked.
To fix a false positive outbound spam issue, BUCE requires:
- the account trying to send out
- the ESMTP stamp and error message the user received
- if available, a copy of the email the user is trying to send
If this information is provided in a ticket and sent to the Knight Web Services® Inc. Abuse Team, we can generally have the filtering parameters modified to allow the messages through. We may advise to talk to customers about mailing practices. In some cases this discussion will be mandatory before action can be taken. (e.g. after recurring issues with the same signatures being caught).
4.1.5 Outbound Deliverability Issues
Although we take every precaution to prevent deliverability issues, there is always a possibility of sending problems. We actively monitor our sending IPs presence on major RBL lists, and monitor deliverability to major email providers. If load considerations allow, we may temporarily remove a blocked IP from the sending pool to minimize customer impact. Any deliverability issues clients experience can be escalated to our Abuse Team via Support channels.
4.2 Web Abuse Issues
4.2.1 Files Violate Acceptable Use Policy
Knight Web Services® Inc. maintains a robust anti-abuse monitoring system which includes monitoring for suspicious outbound emails being generated from a client web space. We also run periodic scans for certain content, and monitor for other events such as attempts to compile unauthorized code, breaking volume thresholds and scanning mail content. Problematic files are reviewed by senior Abuse staff. If a violation is found, the offending files are disabled. In the case of phishing sites or other severe violations, the entire site may be disabled. The client will be notified of these actions by the Account Management Team.
4.2.2 DMCA Copyright and Trademark Issues
Knight Web Services® Inc. works with its clients to ensure compliance with Copyright and Trademark law.
If a complaint is received by the client, the client may ask Knight Web Services® Inc. to act to disable infringing files, or disable offending websites.
If a complaint is received by Knight Web Services® Inc., we will consult with the client via a pre-arranged communication channel to decide on the correct course of action.
If Knight Web Services® Inc. does not receive feedback from the client, the complaint may need to be processed independently to protect our infrastructure.
4.2.3 Child Pornography
Knight Web Services® Inc. takes Child Pornography very seriously. All detected cases are reported to Law Enforcement via the National Center for Missing and Exploited Children’s (NCMEC) CyberTipline program.
If Knight Web Services® Inc. becomes aware of the existence of any child pornography on a website or hosted source either through notification by the client or any other method, Knight Web Services® Inc. shall provide all required reporting to the CyberTipline made available by the National Center for Missing and Exploited Children (“CyberTipline“) If Knight Web Services® Inc. becomes aware of any Child Pornography on a website or hosted source through a method or entity other than the client, Knight Web Services® Inc. shall notify the client of its notification and investigation. Knight Web Services® Inc. is required to suspend the account, preserve data for 90 days pending investigative demand and cooperate with law enforcement if provided valid legal demand and subpoena, search warrant, pen register, etc.
Under no circumstances should any child pornography content be transmitted via email or any other methods. To report this content to us, please provide us only with a reference to the domain where the content is located. If the client finds child pornography material on Knight Web Services® Inc.’s servers, please report to abuse@knightwebservices.com
4.2.4 Investigative Demands
Knight Web Services® Inc. will cooperate with all law enforcement investigative demands. If the investigative demand is NOT served under the seal of the court, Knight Web Services® Inc. will notify the client of the existence of the investigative demand related to their court.
All communications regarding investigative demands can be sent to: abuse@knightwebservices.com
Please note that Knight Web Services® Inc. MUST be named in the investigative demand in order to respond under the requirements of the law. Knight Web Services® Inc. cannot respond to the investigative demands directed only to the client.
4.3 Announcer/Email Marketing
This application is designed for high volume sending. The client’s package determines the limit of contacts that each campaign can be sent to. Beyond this, there is no hard limit to how many emails can be sent.
Using Announcer to send unsolicited email is strictly prohibited. Senders should only include contacts to which they have obtained permission to send. Uploading purchased contact lists is prohibited.
Knight Web Services® Inc. Abuse Department carefully monitors complaints, ISP feedback and amounts of emails sent to invalid addresses. If any of these statistics drop below acceptable parameters, the sender’s account may be blocked. In these cases, notice will be sent to the client asking them to review their sending and list acquisition practices.
5 Abuse Procedures
5.1 Overview
This section specifies how certain abuse events are detected and responded to and how client notification is conducted. It also details how the Knight Web Services® Inc. Abuse Department will be engaged in specific situations.
Events outlined include exploitation of files in customer web space, violation of AUP, Digital Millennium Copyright Act (“DMCA”) copyright issues, outbound email abuse, child pornography matters, complaint handling and IP whitelisting requests.
5.2 Notification Procedures
Unless otherwise stated in section 5.3, Knight Web Services® Inc.’s Management team will be responsible for communicating remediation activities taken by Knight Web Services® Inc.’s Abuse Department on behalf of the client. Knight Web Services® Inc.’s Management team will send an email to the client for each abuse event. The client will be responsible for account termination or for providing appropriate guidance to Knight Web Services® Inc. whenever necessary.
Requests from the client to Knight Web Services® Inc. in regards to whitelisting, unblocking accounts or other standard abuse questions should be directed to Knight Web Services® Inc. via standard escalation procedures.
Standard escalations procedures involve:
- Contacting our Customer Care Team via phone or email
- For high priority issues, contacting our client Relations team
- Contacting Support Management is also available
These procedures, as well as specific contact information, are detailed at length in our Escalations Document, https://www.knightwebservices.com
In the event of DMCA removal requests or Child Pornography removal requests, the client should notify our legal contact at
abuse@knightwebservices.com to review and forward to the Abuse Department.
5.3 Event Detection, Response & Notification Details
5.3.1 Inbound RBL False Positive Remediation
Event | Detection | Response |
An external IP address is blocked by our mail system. | Knight Web Services® Inc. receives a request from the client to add an IP address to the Knight Web Services® Inc. RBL whitelist. | The client will provide all necessary information to Knight Web Services® Inc. via Standard Escalation procedures |
5.3.2 Inbound Spam false positive on an alias account
Event | Detection | Response |
An external sender is blocked from sending email to an alias account due to spam content. | Sender received “This message has been blocked due to SPAM-like characteristics. Please contact support for assistance.” And informs Support. | Knight Web Services® Inc. Abuse can remediate after examining a copy of the bounceback error message that was received by the sender. |
5.3.3 Outbound Email Abuse
Event | Detection | Response |
A user account is found to be sending spam or fraudulent email. | Outbound email abuse is detected by our anti-abuse systems (including threshold violations) or complaints are received by the Abuse Department | The account will be reviewed by the Knight Web Services® Inc. Abuse Department within one (1) hour and a temporary block will be placed against the violating account if the emails violate AUP or other relevant policy. If the email is found to be legitimate, the block will be removed. If the block remains in place after this review, the partner will be notified that a persistent block has been put in place. |
5.3.4 Outbound Threshold Whitelisting
Event | Detection | Response |
End-user wishes to send legitimate mail beyond our usual daily threshold. | Customer informs Support. | Customer is asked to complete a questionnaire; Knight Web Services® Inc. a Abuse evaluates the request and grants whitelisting if applicable. |
5.3.5 Outbound Filtering False Positive
Event | Detection | Response |
End-user is blocked from sending a message due to outbound spam filtering. | Customer informs Support. | Knight Web Services® Inc. Abuse can remediate after examining a copy of the error message that was received by the sender. |
5.3.6 Outbound Deliverability Issues
Event | Detection | Response |
Outbond mail servers experience deliverability issues. | Knight Web Services® Inc.’s detection systems indicate an issue, or a customer complains of an issue sending externally. | Knight Web Services® Inc. will act to remediate the problem through any and all methods available. This includes removing blocked IPs from service, communicating with the entity who is blocking our servers, and investigating and correcting the root cause(s) of the block. |
5.3.7 Web Files Violate AUP
Event | Detection | Response |
Files or content present in a customer’s web space violate AUP or other relevant policy. | Knight Web Services® Inc. locates unacceptable content after receiving a complaint from the partner or directly from a customer or a third party via support, abuse/postmaster or other communications channels, or through other detection methods | Problematic files are reviewed by senior Abuse staff. If a violation is found, the offending files are disabled. In the case of phisher sites, the entire site may be disabled. The client will be notified of these actions by the Account Management Team. |
5.3.8 Web Files Used to Send Spam
Event | Detection | Response |
Files or content, including but not limited to html documents, scripts, webforms, etc, present on a customer’s web space are exploited and used to send bulk mail. | Knight Web Services® Inc. maintains a robust anti-abuse monitoring system which includes monitoring for suspicious outbound emails being generated from a customer webspace. We also run periodic scans for certain content, and monitor for other events such as attempts to compile unauthorized code, breaking volume thresholds and scanning mail content. | If the files are used to send bulk outbound email messages and the activity is detected by Knight Web Services® Inc.’s anti-abuse systems, or Knight Web Services® Inc. is informed of the exploit due to a complaint, quarantined messages will be reviewed by the Abuse Department within one hour. Malicious files are removed. Files that are vulnerable to exploitation are disabled. The client will be notified of these actions by the Account Management Team. |
5.3.9 DMCA Copyright and Trademark Issues
Event | Detection | Response |
Knight Web Services® Inc. or a client receives a valid DMCA complaint regarding files or content present in a customer’s web space. | Knight Web Services® Inc. receives a notice regarding alleged infringement from the partner or directly from the copyright holder. | If the client requests content be removed in response to a valid DMCA complaint, Knight Web Services® Inc.’s Abuse Department will disable the content within 1 business dayIf a client requests content to be replaced, Knight Web Services® Inc.’s Abuse Department will re-instate the content within 1 business day.If Knight Web Services® Inc. receives a DMCA notice directly from the content owner/copyright holder, it will forward the request to the partner for review.Complaints should be sent to abuse@knightwebservices.com |
5.3.10 Child Pornography
Event | Detection | Response |
Child Pornography present in a user account | Suspected child pornography content on a website or hosted source is identified by anti-abuse systems, or a complaint is received by the partner or Knight Web Services® Inc.. | If Knight Web Services® Inc. becomes aware of the existence of any child pornography on a website or hosted source either through notification by the client or any other method, Knight Web Services® Inc. shall provide all required reporting to the CyberTipline made available by the National Center for Missing and Exploited Children (“CyberTipline“) If Knight Web Services® Inc. becomes aware of any CP on a website or hosted source through a method or entity other than the partner, Knight Web Services® Inc. shall notify the client of its notification and investigation. |
6 Appendix A: Knight Web Services® Inc. IP Whitelist and Blacklist
Deployment
Please note, these are listed in the order in which they are processed by our system. This list represents our standard WL/BL deployment.
LIST NAME | LIST URL | ERROR CODE |
The Hostopia Whitelist, managed by the Abuse Team | wl.hostopia.com | N/A |
The DNS Whitelist http://dnswl.org.org/ | list.dnswl.org | N/A |
The Mail Spike Whitelist http://mailspike.org/ | wl.mailspike.net | N/A |
Cloudmark’s Sender Intelligence Blacklist | csi.cloudmark.com | H:CSI |
Hostopia’s Dynamic IP list | dul.hostopia.com | H:DBL |
Return Path’s Sender Score Blacklist | bl.score.senderscore.com | H:RPBL |
Not Just Another Bogus List | combined.njabl.org | H:NJB## |
Composite Blocking List | cbl.abuseat.org | H:CBL |
Passive Spam Block List | psbl.surriel.com | H:PSBL |
The Abusive Hosts Blocking List | dnsbl.ahbl.org | H:ABL## |
SpamCop Blacklist | bl.spamcop.net | H:SC |
Anubis Network’s MailSpike Blacklist | bl.mailspike.net | H:M## |
Hostopia MXB dynamic IP Blocking (4 hour blocks from high spam/ham ratio sources) | dnsbl.hostopia.com | H:MXB |
Hostopia DAD dynamic IP Blocking (4 hour blocks from sources which appear to be using dictionary attack methods) | dnsbl.hostopia.com | H:DAD |
7 Appendix B: Cloudmark Manual Reporting Guide
This guide provides instructions for submitting feedback to Cloudmark about false positives and false negatives.
- A false positive is a legitimate message that Cloudmark incorrectly classified as spam or phishing.
- A false negative is a spam or phishing message that Cloudmark incorrectly classified as legitimate.
Cloudmark’s accuracy depends on feedback from end users. By reporting incorrectly-classified messages promptly, you contribute to the accuracy of Cloudmark’s service.
The messages that you report must be in RFC822 format as MIME attachments. This preserves the email header information that Cloudmark requires.
Do not send misclassified messages by using the Forward command; this strips them of essential header information.
Knight Web Services® Inc. has set up email addresses for feedback submission: abuse@knightwebservices.com
HOW TO REPORT A MISCLASSIFIED MESSAGE WITH MICROSOFT OUTLOOK OR OUTLOOK EXPRESS
- From the File menu, select New > Mail Message to open a new message window.
- Address the message to the appropriate address, provided by your email administrator.
- Drag the misclassified message or messages onto the new message window to attach them. Although you can attach as many messages as you like, your email server is configured to reject messages that are too large. Be aware of your server’s size limit when constructing your message.
- Click Send to send the message.
HOW TO REPORT A MISCLASSIFIED MESSAGE WITH THUNDERBIRD
- From the File menu, select New > Message to open a new message window.
- Address the message to the appropriate address, provided by your email administrator.
- Drag the misclassified message or messages onto the new message window to attach them. Although you can attach as many messages as you like, your email server is configured to reject messages that are too large. Be aware of your server’s size limit when constructing your message.
- Click Send to send the message.
HOW TO REPORT A MISCLASSIFIED MESSAGE WITH EUDORA
- In the message list, select the misclassified message.
- From the File menu, select Save As…. The Save As window appears.
- Navigate to an appropriate location in which to save the message.
- Select the Include Headers checkbox.
- Click Save. Repeat step 1 through step 5 for each misclassified message.
- From the Message menu, select New Message. A new message window appears.
- Address the message to the appropriate address, provided by your email administrator.
- From the Message menu, select Attach File. The Attach File window appears.
- Navigate to the location where you saved the misclassified message, then select it.
- Click Attach. Although you can attach as many messages as you like, your email server is configured to reject messages that are too large. Be aware of your server’s size limit when constructing your message.
- Click Send to send the message.
HOW TO REPORT A MISCLASSIFIED MESSAGE WITH MAC OS X MAIL
- In the message list, select the misclassified message.
- From the File menu, select Save As….
- Save the file in an appropriate location.
- From the File menu, select New Message to open a new message window.
- Address the message to the appropriate address, provided by your email administrator.
- From the File menu, select Attach File….
- Navigate to the location where you saved the misclassified message, then select it.
- Click Choose File to attach the saved file. Although you can attach as many messages as you like, your email server is configured to reject messages that are too large. Be aware of your server’s size limit when constructing your message.
- Click Send to send the message.
8 Appendix C: SMTP Whitelist Vetting Questionnaire
Before Knight Web Services® Inc. whitelists an account the following questions must be answered by the sender. This helps Knight Web Services® Inc. vet the sender so that we don’t grant whitelist status to a sender whose email could be considered spam and damage our deliverability or get our servers blocked.
Please obtain this information and provide it in a ticket to BUCE.
To be considered for whitelisting, the client must provide the following information:
- Please supply the SMTP username. This is usually the email address used to send. Note: The client must use SMTP authentication to take advantage of our whitelisting.
- Does the user require whitelisting to send newsletters or other bulk mail?
- How many recipients they will be sending this message to? If an exact number is not available, a range of anticipated email volume is acceptable.
- How often will they be sending messages?
- How/where did the client obtain their recipients/mailing list?
- What program will the user be using to send the mail?
- If applicable, please provide sample of the message being sent.
- For bulk/newsletter emails, each message will be required to have valid opt-out information and the messages should only be sent to recipients who have requested their messages. The Opt Out must be clearly visible in all messages, including the provided example. We will not proceed if this requirement is not met.
If the customer can provide the above stated information, we will evaluate it for whitelisting. If the information is satisfactory, will whitelist them on a trial basis. If they generate a large volume of complaints, or we have other reasons to believe they are harming our reputation, they will be removed from the whitelist.
9 Appendix D: Account Functionality Limitations
9.1 Functionality Limitations by Account Status
Suspend: FTP and Portal functions are inaccessible. Website and email remain functional.
Disable: FTP and Portal functions are inaccessible. Website is inaccessible. Email remains functional.
Kill: FTP, Portal, Website and Email are all inaccessible.
9.2 Other Limitations
SMTP Block: If a single email account is a source of abuse, that email address will have an SMTP block limitation placed against it. This limitation does not affect the account the address is associated with.