I Take Abuse According to RFC 2142

I was told Friday that Buzzword.Com has been added to a blacklist at RFC Ignorant because the domain doesn't have an abuse email account. Somebody wanted to report a spam blog on my server, and when he couldn't send mail to an abuse account here, I was turned in for RFC reeducation.

RFC 2142 requires that web sites and other servers take mail at several standard mailboxes, including abuse@domain for complaints, postmaster@domain for issues regarding mail servers and webmaster@domain for web servers. According to RFC Ignorant, all domains that might be abused must have an abuse account that takes mail.

It is ... a widely-held misconception that <abuse@domain> only needs to work for Internet Service Providers. Instead, it should work for any "organization" for which e-mail (or other abusable Internet) service exists, whether that service is provided to one user or one million.

Because an abuse account is likely to get a bunch of spam, I was hoping to put an autoresponder there that tells people to use a web form to file complaints. But that violates the RFC:

... sites are welcome to suggest "better/optimized" methods of communication, but they must acknowledge that the complaint will be acted upon, as submitted to the main abuse@domain address.

RFC Ignorant's approach is obnoxious but the point's valid. You can't run a service like a free weblog host without being attentive to complaints.

After dealing with this and spending most of the day on spam problems on my weblog and e-mail servers, I decided that my plan to run 16 WordPress MU servers was completely insane. I've consolidated all of them down to a single host, Buzzword.Com.


RFC 2142 is just stupid elitism. Make up rules that the vast majority of the planet doesn't know or care about. Then say you are better because you are elitist compliant. The truth is most domains with websites don't even have mail servers.

Huh. I was going to follow your example, actually, and open a (inital account moderated) WP MU setup at some tightly related domains I own. Hmm.

Isn't the only negative consequence of violating this RFC, and particularly of being blacklisted at RFC Ignorant, that mail from users at buzzword.com might be black listed? If you aren't sending mail from that domain, there is no real downside to being listed.

Judging from the current mx record on buzzword.com you are now attempting to receive mail at that domain, but if you aren't planning on sending any, you don't need to worry. Just do what you suggest and autorespond to mail to abuse@domain with a link to a web form for complaints.

What am I missing?

My read of the RFC is that offering any service that's subject to user abuse means you should offer abuse@domain. If you don't offer e-mail, you don't need postmaster@domain.

In this case, the abuse that triggered the complaint was some pretty odious porn spam. I had deleted the spam blog already, but the spammer linked other sites to the Buzzword.Com blog.

Bryan: My advice is to start with one WPMU server and scale up after figuring out how to reduce abuse. I was dealing with the same spam bloggers hitting multiple servers.

I agree with your reading, but since this is a "should" not a "must," I don't see the downside. RFC 2119 specifies that there may be valid reasons for ignoring a "should." You seem to have valid reasons not to support abuse@domain and having an autoresponder that sends a link seems reasonable response when the potential abuse is abusive websites.

Beyond that, this language in the abstract, "Additional mailbox names and aliases are not prohibited, but organizations which support email exchanges with the Internet are encouraged to support AT LEAST each mailbox name for which the associated function exists within the organization," implies that the rfc applies only to, well, organizations which support email exchanges with the Internet.

"RFC 2142 is just stupid elitism. Make up rules that the vast majority of the planet doesn't know or care about."

Most of the world doesn't care about any of the RFCs. It is frightening how many of the RFCs are ignored by tech companies. Even the HTTP protocol, which allows me to post this comment and allows you to read it, is largely ignored by many of the companies whose technology I rely upon. Sam Ruby documented an example recently. It would be trivially easy to find 20 other examples of important parts of HTTP being ignored by important vendors. SOAP, as Pete Lacey put it so well, tunnels over HTTP without implementing any of its status codes.

And that's just HTTP. Then there are all the other hundreds of technologies we rely upon.

I think any of RFCs can be criticized for being obscure and unnecessary. But if we all start treating them all as optional, where will we be?

Most of the world doesn't care about any of the RFCs. It is frightening how many of the RFCs are ignored by tech companies

The primary penalty of inclusion in rfc-ignorant is that email is penalized by Spam Assassin. Since Spam Assassins weightings are derived statistically, that it has a positive score (penalty) for these tests suggests that people who care comply, otherwise the tests wouldn't be useful in identifying spam.

Not elitism, not obnoxious, but about being a good neighbour, and identifying those who aren't.

The real question is why some of the big email providers don't comply, one can use these scores to see how much they care about delivering your email.


The whole issue with abuse@domain is that if I'm getting abuse, I want a quick address I can mail my complaint and logs and know it is getting taken care of. Getting back an email saying the following:

"You are one step away from obtaining help!

To avoid spam on our support system and to better serve our customers,
we require you to be registered before sending requests.

Please, do so at:

it only takes a minute, and it's required only once.

After that you can send your requests by email and the system will recognize you automatically.

Once registered, you may send all requests to: suave-support@suavemente.net
or, you may use the web based interface to manage and track your requests at:


Do I really care to create an account? And it wasn't just creating an account, I then had to wait for their email-verification to work (and since I have greylisting in use to delay things for a 55s and their mail server hasn't tried again, I still don't have the email, nor a way to report this that a human there will read).

The only reason I even am continuing to follow-up is that some jerk customer of theirs continues to dictionary attack my sshd. I submitted my complaint to them 2 days ago to their WHOIS abuse email listed (suave-noc@suavemente.net) and got no response. I submitted again to their custom "suave-abuse@suavemente.net" listed in the COMMENTS section of their whois (retarded, list it under the OrgAbuse info or at least don't supply two conflicting emails for abuse in two different sections). Then I get a this "create an account" junk? How many hoops do I have to jump through to report abuse from their customer?

Enough for me to report them to rfc-ingornant and warn them of such (via their lovely ticket system now that I finally got the email confirmation) - until they fix it, their users will get more emails flagged as spam since their SpamAssassin scores will go up (bad).

I'm not "elite," I just don't want to waste my time on someone else's problem.

RFC 2142 is only a PROPOSED standard.

It is NOT a STANDARD. Yet.

RFC-Ignorant is ... well ... RFC-ignorant for blacklisting you because you are not following a standard that isn't a standard yet.


Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).