An industry organization representing heavyweight e-mail providers Yahoo Inc., Microsoft Corp., America Online Inc. and EarthLink
Inc. released recommendations for ending unsolicited commercial ("spam") e-mail, according to a statement by the group.
The Anti-Spam Technical Alliance's (ASTA) Statement of Intent, released Tuesday, includes a list of suggestions and "best
practice" recommendations for Internet service providers (ISPs), e-mail service providers, governments, corporations and bulk
e-mail senders.
Among other things, ASTA recommended that ISPs shut down so-called "open relays," or e-mail servers that allow parties that
do not own the mail server to relay mail through them without needing to log in first. The group also suggested that ISPs
crack down on virus and worm-infected computers on their network and closely monitor features that let people automatically
register for ISP accounts.
If implemented, and with the backing of ASTA member companies, the recommendations could greatly reduce the amount of spam
e-mail, the group said. The recommendations are the product of more than a year of collaboration between representatives of
the member companies and focus, mainly, on ISPs, whose networks are often used to distribute spam.
ISPs that host Web pages should also remove simple programs that can generate e-mail messages, like formmail.pl, a popular
and free program for providing feedback from a Web page. ISP customers should also be required to authenticate before sending
e-mail from the ISP's network, ASTA said.
For bulk e-mail senders, the group discouraged the practice of harvesting e-mail addresses without the consent of the e-mail
sender, as well as other common spamming practices such as source address spoofing and sending e-mail containing information
that is false or misleading.
Consumers were generally let off the hook by the group. While e-mail users have a duty to educate themselves about spam, ISPs
and others with a stake in e-mail need to do a better job providing consumers with tools and information to stop spam, the
group said.
Many of the technical suggestions have for long been accepted wisdom within the technical community, said John Levine, a member
of the Internet Research Task Force's Anti-Spam Research Group.
"This is all kind of motherhood and apple pie," said Levine, who noted that AOL and most other ISPs have been following many
of the stated best practices for years.
Despite that, the recommendations are still worthwhile if they can reform the small population of organizations with sloppy
mailing practices, whose systems are frequently exploited by spammers, he said.
"It's too bad that the first thing you have to do is tell people not to do something stupid, but there are still a lot of
small companies with mailing lists and loosely administered mail servers," he said.
ASTA acknowledged that its antispam measures have already been adopted by most "responsible organizations," but stated that
group members hope to encourage broader global adoption of secure e-mail practices and reduce the number of opportunities
for spammers, according to the published Statement of Intent.
While not exciting, common sense recommendations like those laid out by ASTA are a welcome relief to the Internet community,
Levine said. "Generally (the recommendations) are reasonable. It demonstrates that the technical management of ISPs do understand
the e-mail situation well."
Recommendations that are in line with best practices are more likely to find acceptance than novel new schemes or standards
intended to stop spam, he said. "There was always some concern that (ASTA) was going to come up with something weird. The
fact that you can look at this and say 'Yeah. Sure,' is good because it means that they're not going off on some tangent,"
he said.
Plans to stop spam have taken on a new urgency in the last year, as the volume of spam has increased and begun to eclipse
legitimate e-mail traffic. In recent months, leading companies including Microsoft and Yahoo have proposed competing plans
for e-mail sender authentication, which allows e-mail recipients to verify the source of an incoming message and stop spam
e-mail messages that display forged or "spoofed" sender addresses.
In May, Microsoft agreed to merge its recently announced Caller ID antispam proposal with another, called Sender Policy Framework,
or SPF. The company reached an agreement with SPF's author, Meng Weng Wong, to roll the two proposals into one specification.
Under the merged proposal, organizations that send e-mail will publish the addresses of their outgoing e-mail servers in DNS
using Extensible Markup Language (XML). Companies will be able to check for spoofing at the envelope level, as proposed by
SPF, and in the message body, as proposed by Microsoft, the statement said.
A separate plan backed by Yahoo, called DomainKeys, uses public/private encryption keys to create a unique signature based
on the content and origin of each e-mail message.
The ASTA document does not back either authentication scheme, but says both are promising and can be used to prevent address
spoofing.
Behind the scenes, the document masks a heated battle within the Internet Engineering Task Force's (IETF's) MARID (Mail Transfer
Agent Authorization Records in DNS) over the scope and details of the e-mail authentication proposals, Levine said.
However, despite disagreements within the group, those involved consider spam an urgent problem and plan to have a sender
authentication plan ready for public viewing by the end of August.
"I can't ever think of situation where there's been a feeling of urgency like there is with this. There's really a feeling
that if we don't do something soon, people will give up on e-mail," Levine said.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
