ISPs Gang Up on Spammers
Even unwitting spammers could lose Internet access under tough proposal.
An industry organization representing heavyweight e-mail providers Yahoo, Microsoft, America Online, and EarthLink have teamed on recommendations for ending spam, including cutting off the senders' Internet access. A Statement of Intent, released Tuesday by the anti-spam Technical Alliance (ASTA), lists suggestions and "best practice" recommendations for ISPs, e-mail service providers, governments, corporations, and bulk e-mail senders. Among them: That ISPs shut down so-called "open relays," or e-mail servers that let parties that do not own the mail server relay mail through them without having to log in first. The group also suggests ISPs crack down on virus- and worm-infected computers on their networks, and closely monitor features that let people automatically register for ISP accounts. If implemented, and with the backing of ASTA member companies, the recommendations could greatly reduce the amount of spam e-mail, the group says. The recommendations are the product of more than a year of collaboration between representatives of the member companies. They focus mainly on ISPs whose networks are often used to distribute spam. ISPs Get Tough ISPs that host Web pages should also remove simple programs that can generate e-mail messages, like formmail.pl, a popular and free program for providing feedback to a Web page. ISP customers should also be required to authenticate before sending e-mail from the ISP's network, ASTA says. For bulk e-mail senders, the group discourages the practice of harvesting e-mail addresses without the consent of the e-mail sender and other common spamming practices. It cites source address spoofing and sending e-mail containing information that is false or misleading--both of which are prohibited by the Federal CAN-SPAM Act, but still widely practiced. Consumers aren't a main target for the group. E-mail users have a duty to educate themselves about spam, but ISPs and others with a stake in e-mail services should do a better job giving consumers tools and information to stop spam, the group says. Common Sense Advice Many of the technical suggestions are longtime accepted wisdom in the technical community, says John Levine, a member of the Internet Research Task Force's anti-spam Research Group. "This is all kind of motherhood and apple pie," Levine says. He notes AOL and most other ISPs have been following many of the stated best practices for years. Still, the recommendations are worthwhile if they can reform the small population of organizations with sloppy mailing practices, he adds. Spammers frequently exploit such systems, he said. "It's too bad that the first thing you have to do is tell people not to do something stupid, but there are still a lot of small companies with mailing lists and loosely administered mail servers," he says. Most "responsible organizations" already practice these antispam measures, ASTA acknowledges. However, the group members hope to encourage broader global adoption of secure e-mail practices and reduce the number of opportunities for spammers, according to the published Statement of Intent. While not exciting, common sense recommendations like ASTA's are a welcome relief to the Internet community, Levine says. ASTA's document "demonstrates that the technical management of ISPs do understand the e-mail situation well," he adds. Recommendations that are in line with best practices are more likely to find acceptance than novel new spam-fighting schemes or standards, he adds. "There was always some concern that [ASTA] was going to come up with something weird." Other Efforts Plans to stop spam have taken on a new urgency in the last year, as the volume of spam has increased and begun to eclipse legitimate e-mail traffic. Microsoft, Yahoo, and other leading Internet firms have recently proposed competing plans for e-mail sender authentication, which enables e-mail recipients to verify the source of an incoming message and stop e-mail with forged or "spoofed" sender addresses. In May, Microsoft agreed to merge its recently announced Caller ID antispam proposal with another standard, called Sender Policy Framework (SPF). The company reached an agreement with SPF's author, Meng Weng Wong, to roll the two proposals into one specification. Under the merged proposal, organizations that send e-mail will publish the addresses of their outgoing e-mail servers in DNS using Extensible Markup Language (XML). Companies can check for spoofing at the envelope level, as proposed by SPF, and in the message body, as Microsoft proposed, the statement says. Yahoo's plan, called DomainKeys, uses public/private encryption keys to create a unique signature based on the content and origin of each e-mail message. The ASTA document does not back either authentication scheme, but says both are promising and can be used to prevent spoofing. Standards Fight? Behind the scenes, the document masks a heated standards battle. The Internet Engineering Task Force is considering other spam-fighting methods through Mail Transfer Agent Authorization Records in DNS, Levine says. However, despite disagreements within the group, participants agree that spam is an urgent problem. A sender authentication plan should be ready for public viewing by the end of August. "I can't ever think of situation where there's been a feeling of urgency like there is with this. There's really a feeling that if we don't do something soon, people will give up on e-mail," Levine says.
Reproduced from an article published by PC World
© PC World
The original article can be viewed here:
http://www.pcworld.com/news/article/0,aid,116638,pg,1,RSS,RSS,00.asp
Permalink Bookmark Digg this story
