E-mails to nhs.uk addresses from patients may be being blocked due to the inclusion of nhs.uk on a site used by some hosting services to stop spam and invalid emails, E-Health Insider has learned.
The problem has affected at least one GP practice, East Quay Medical Centre in Bridgwater, Somerset. They have found that e-mails meant for them sent via a response form on their site were returned due to the block on ‘nhs.uk’ on rfc-ignorant.org.
The rfc-ignorant list describes itself as "the clearing house for sites who think that the rules of the internet don’t apply to them." Although it stresses it does not operate as an outright block, some mail servers use the site as a reference for marking out invalid e-mail addresses.
Huw Morgan, technical director of IT services company StreamPartners, which designed and manages the practice’s site, told E-Health Insider how he noticed there was a potential problem: "We discovered the problem after a practice notified us that some patients had problems informing them of appointment changes via the website designed and hosted by ourselves. We traced the problem as likely to be ISP or hosting mail servers using rfc-ignorant lists to block undesirable mail."
"We tried to get rfc-ignorant to remove the listings and also notified nhs.uk of the potential problem. We also liaised with the practice’s PCT IT contact but still could not resolve the issue," said Morgan.
The practice’s website has online forms where patients can change their address, order repeat prescriptions and to cancel appointments. Deb Farnworth-Wood, managing partner at East Quay Medical Centre, said: "We were alerted to the problem when patients called into our pharmacy for prescriptions that they had ordered online and discovered that we had no record of the order. Our local informatics department was unable to resolve the problem so we asked StreamPartners to investigate further."
"This really is a major problem for the practice and patients – the real issue is we have no way of knowing the scale of the problem and how much email is actually going missing," she added.
The ‘nhs.uk’ domain is listed three times on rfc-ignorant.org’s site, which enumerates which domains are ‘ignorant’ of the internet RFC (‘Request For Comments’) agreements, a series of agreed, non-binding rules that aim to provide guidance on how the internet should operate.
According to the site, the ‘nhs.uk’ domain breaks three rules; RFC2821, which asks that each domain should have a responsive ‘postmaster’ address, RFC2142, which says that an ‘abuse’ address should exist, and RFC1032, stipulating that WHOIS (contact details for a domain) ought to be up-to-date and correct.
The NHS is listed on rfc-ignorant.org because postmaster@nhs.uk and abuse@nhs.uk both bounce, and no contact details exist for ‘nhs.uk’.
As well as some hosting companies and mail servers using rfc-ignorant, the popular anti-spam program SpamAssassin, used by several hosting companies as a way of cutting down the amount of spam received by their customers, can be configured to check e-mail addresses against listings on rfc-ignorant.org.
The system uses a sophisticated point scoring mechanism to gauge which messages are spam and which are genuine. If part of an external e-mail address is listed on rfc-ignorant.org, the software can be configured to award points, with five points often being enough to have the message flagged as spam.
Jay Daley, IT Director of Nominet UK, the organisation responsible for the maintenance of .uk domains, told E-Health Insider that nothing could be possibly done about the listing, as nhs.uk operated as a second-level domain in the same way as ‘co.uk’ – postmaster@co.uk and abuse@co.uk addresses don’t exist, and neither do they in the NHS.
"Generally the best thing we recommend people to do is ignore rfc-ignorant.org. Our advice is that people using SpamAssassin should turn off rfc-ignorant.org from their configuration," he said, adding that he knew of no ISP that routinely used the site as an outright blacklist.
The NHS domain is not the only large-scale organisation listed. The ‘.de’ top-level domain that covers the whole of Germany is on the list for separate reasons. Numerous attempts have been made to delist the country, with little success.
A spokesperson for the Department of Health told E-Health Insider they were aware of the potential block, but they had no plans to add ‘postmaster’ or ‘abuse’ addresses to the nhs.uk domain due to security considerations.
"Within the Internet standards for email there are some optional recommendations regarding the provision of some email addresses such as ‘postmaster’," said the DH. "These accounts are typically targeted by spammers or by people trying to gain unauthorised access to systems. For security reasons the NHS has never made a provision for such accounts or hosting addresses."
Anybody wishing to report abuse of the nhs.uk domain could do so through a link on the website, the DH added.
In the meantime, the practice has put a notice up on its site explaining the problem and asking users to be patient. StreamPartners has added the nhs.uk domain to a whitelist on the server, which will guarantee passage to all e-mail to the NHS that arrives on the system.
Links