The Anti-Spam Technical Alliance (ASTA) has issued suggestions for Internet service providers, e-mail service providers, and bulk e-mailers regarding combating spam.
According to the ASTA, there are two promising methods of message authentication. The organization believes that systems that allow recipients to determine whether a message is legitimate, and to identify the sender, are at the crux of the anti-spam battle.
The first method involves authenticating senders based on their Internet protocol (IP) address. The ASTA calls the IP address “the only trustworthy attribute in an e-mail message header.”
Using this method, recipients verify other attributes in the message header, such as the sending domain, and reduce the various forms of forgery that spammers employ.
The second method involves using a series of publicly available and privately held encoded digital signatures. When an e-mail message is sent, the publicly available signature is compared to the privately held signature by the mail server.
The ASTA recommended that legitimate bulk e-mailers:
* Avoid harvesting e-mail addresses through automated means without the owners’ affirmed consent
* Provide clear instructions regarding opting out
* Register e-mail domains with a creditable safelist provider
* Avoid sending e-mail that contains invalid or forged headers
* Avoid sending e-mail that contains invalid or forged headers
* Avoid sending. e-mail that contains invalid or nonexistent domain names in the From or Reply-To headers
* Avoid employing any technique to hide or obscure any information that identifies the true origin or the transmission path of bulk e-mail
* Avoid using a third party's Internet domain name or allowing mail to be relayed from or through a third party's equipment without permission
* Avoid sending e-mail that contains false or misleading information in the subject line or in its content
* Monitor SMTP responses from recipients' mail servers
* Promptly remove all e-mail addresses for which the receiving mail server responds with a 55x SMTP error code (e.g., "user doesn't exist").
The ASTA also advocated a series of technological steps for ISPs and mailbox providers and organizations that provide Internet connectivity. These include implementing rate limits on outbound e-mail traffic; closing all open relays; detecting compromised computers that can be used to relay spam messages; and educating users regarding existing tools, among others.
As for consumers, the ASTA suggests: installing firewalls on PCs as appropriate; using anti-virus software and other screening tools to detect incoming viruses, malware, and harmful or suspicious code; and using spam filtering technologies and customized settings that provide the appropriate level of protection needed.
The full text of the ASTA proposal is available at a variety of links on the participants’ Web sites, including http://antispam.yahoo.com.
“What is good about this is that the [Federal Trade Commission] identified authentication as one of the areas of potential benefit, and this seems to focus on authentication ideas,” said H. Robert Wientzen, CEO of the DMA.
As for the federal do-not-e-mail list, which the FTC said last week was unworkable, Wientzen noted that “authentication would make that unnecessary.”
Wientzen continued, “We are hopeful that out of that will come something that will make authentication of the sender an important part of email of the future. We continue to think that law enforcement is a key part of this thing. In order to have effective law enforcement, you have to be able to identify the sender.”
The Alliance was founded in April 2003 by a variety of online concerns to develop technical standards and address the unsolicited e-mail problem. Current members include leading technology companies such as America Online, British Telecom, Comcast, EarthLink, Microsoft and Yahoo!
