June 22, 2004 12:44 PM PDT

Alliance turns up heat on spam

A coalition of top Internet service providers on Tuesday advocated a set of technical guidelines designed to stem the tide of spam.

Yahoo, Microsoft, EarthLink, America Online, British Telecom and Comcast announced a proposal of best practices for filtering and sending e-mail. Among the recommendations are technical methods for authenticating e-mail senders by Internet Protocol address or with digital content signatures. That way, ISPs and e-mail providers could help prevent e-mail fraud, one of the chief frustrations for antispam fighters.

In addition, the group advocated that ISPs detect and shut off Internet traffic from "zombie" machines, hijacked consumer PCs on their networks used to send millions of unwanted e-mail messages every day.

"Our aim with this proposal is to help lay out a clear framework for the industry as we continue to work together to end the spam business and put our customers back in control of their inboxes once again," Ryan Hamlin, general manager of Microsoft's Anti-Spam Technology and Strategy Group, said in a statement.

The effort is the latest from the Anti-Spam Technical Alliance, or ASTA, a group formed in April 2003 by the four major ISPs--Yahoo, Microsoft, EarthLink and AOL. Since its founding, the coalition has not publicly announced many joint projects, but individually, the parties have labored over technical and legal efforts to thwart spammers.

On the technical front, each company in the last year has publicly backed a different system for authenticating e-mail and quashing mail forgeries, or domain spoofing. Yahoo has backed a system known as DomainKeys for verifying the identity of an e-mail sender with digital signatures, or two-key encryption. AOL has been testing a DNS-based system, formerly known as Sender Permitted From and recently renamed Sender Policy Framework, or SPF. Microsoft, too, has developed its own system for identifying the origin of e-mail, called Caller ID for E-mail. It recently proposed a merger of Caller ID with SPF.

On Thursday, the coalition endorsed the underlying technical methods of each system, without specifying a standard. The group is examining both DNS-based and encryption-based systems and believes that the two standards are complementary.

ASTA's proposal also said that ISPs should implement rate limits on outbound e-mail traffic, control automated registration of accounts and close all open relays, which are a big source for e-mail. They also urged ISPs to block or limit e-mail on Port 25, the main thoroughfare for e-mail communications. For consumers, they recommended that all PC users install virus protection and security systems.

Earlier this year, ASTA launched its first joint legal assault against spammers. The suits claim that hundreds of unnamed defendants sent messages using false e-mail addresses--a violation of the newly enacted federal Can-Spam Act.

3 comments

Join the conversation!
Add your comment
Spam will die!
SPAM needs to die. Every day, no matter what I do, there is always new spam arriving at my inbox and I hate it!
Posted by KDoggMDF (25 comments )
Reply Link Flag
Something gotta be done
I'm getting 20-50 spams per day and seeing spam & virus mails
alledgedly sent by me but impossible as they're windoze worms
and I run Mac. It is way out of hand. The ISP's and the
government need to get on this problem and get some real
results. Lets start jailing spammers!
Posted by (3 comments )
Reply Link Flag
Why is this our problem?
It's all very well blaming end users for using zombie PC's, but how is this our problem, aside from the fact it means we have unwanted spyware and trojans on our machines?

First they sell us flawed operating systems, internet browsing software and anti-virus tools, then they tell us that if we don't fix the problems they've made possible because of this flawed software, they'll switch us off from the net.

So where is the one click fix for us to download and protect our machines from this spyware?

Does this now make them liable if we are infected?

If companies like Microsoft and AOL were serious about this problem, especially spam, they could have done something about this a very long time ago.

Unfortunately greed is getting in the way of the solution.

On the one hand you have ISPs that don't want to lose their corporate customer base, particularly the guys responsible for spam, as these are the very people they make their money from.

On the other, you have each Internet software provider wanting to be the one that owns the standard that will help irradicate spam.

They know how to do it, using techniques such as intelligent verification, i.e. requiring that each new email address received is verified via a code that could only be translated by something as flexible as a person - similar to the verification process they use to prevent spammers from automatically opening up thousands of hotmail, yahoo, aol, etc email accounts.

Another is to require that all email senders receive and translate a simple calculation on their machines before an email server will accept their message. For someone that is only sending normal email, this would result in virtually negligable use of their processor for a fraction of a second.

For someone sending millions of emails a minute/hour or whatever, this would tie up their PC's with these calculations rendering them useless - effectively causing a denial of service attack on themselves.

These are just simple solutions from someone who has little or no software engineering expertise.

As I said, this problem is not ours in the making, and the solution, or at least the means to a solution should be placed squarely in the laps of these companies that want to deny our access because it's spoiling their profits.

When Microsoft start distributing free antispyware and antivirus software, professional enough that it doesn't need weekly updates - when they volunteer to remove the problem items from our machines at their time and expense, then they can start talking about restricting access to the net. BTW do you really think that Norton, CA, etc update their own software weekly - can anyone explain how they are able to respond with antivirus updates within minutes of a new virus being released? If they were to sell the software they used, they would be out of business, because it would not require any sort of update for years at a time.
Posted by ajbright (447 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.