The Anti-Spam Technical Alliance, made up of AOL, Microsoft, Yahoo, BT, EarthLink and Comcast, yesterday published a 19-page report detailing best practices and good neighbor principles that could lower spam volumes.
Among the proposals are suggestions for blocking compromised PCs that are sending spamlike quantities of email. It is said that the vast majority of today’s spam originates from machines that have been compromised by malware or hackers.
All ISPs should develop methods for discovering compromised computers, the report says. Computers that show signs of infection should be removed from the network or quarantined until the virus, worm, and/or malware can be removed.
The report suggests the easiest way to do this is for ISPs to block email port 25, because most consumers will not normally want to run, or even be permitted to run, SMTP servers on their home computers.
EarthLink is already blocking port 25, according to director of product management Stephen Currie. Comcast, said to be one of the hardest hit in terms of compromised customers, is believed to also be blocking PCs that start spamming.
We all would want to do it, we understand spam is bad and we don’t want spammers on our network, Currie said. It’s hard to track down these machines, he said. People need to take ownership of what’s happening on their network, he added.
Without actual quarantining or blocking, the report also recommends throttling the amount of email a residential user is allowed to send. The report suggests 150 recipients an hour, or 500 recipients a day, combined with a limit on spam-related complaints.
The report also contains recommendations about securing the CGI script formmail.pl, which it says is in common use on the internet for legitimate web-to-email purposes, but which can be easily hacked to be a source of spam.
The report also represents the alignment for the first time of the two major emerging sender authentication specifications – Yahoo’s DomainKeys and the Microsoft-backed Sender ID (the merger of Caller ID and Sender Policy Framework).
The ATSA report identifies and recommends the two proposed standards conceptually, without naming either. Both systems are intended not to stop spam, but to provide a means to authenticate email senders, a factor that could reduce spam.
DomainKeys envisages email senders publishing a cryptographic key in domain name system records, and signing outgoing email with the matching private key. Sender ID envisages email senders publishing the IP addresses of their mail servers in the DNS.
Yahoo anti-spam product manager Miles Libbey said that it’s the first time both proposals have been acknowledged together and recommended this way. There are pros and cons to both, he said. The combination is going to be strong than either.
Libbey said the next step is to start conducting real-world trials of Sender ID and DomainKeys, to get data to analyze the effectiveness of both. Both specs have been submitted to standards bodies for discussion.
