The Anti-Spam Technical Alliance is a collaborative group of major ISPs, including Microsoft, Yahoo!, AOL, Earthlink, British Telecom, and Comcast, which has an overall purpose to defeat spam, or at least to reduce the problem to manageable levels. Members of the group have been presenting authentication proposals at recent e-mail conferences, and ASTA has now issued an interim report called its Statement of Intent outlining authentication, but also strongly emphasizing the need for best practices and technologies that should be implemented by ISPs, e-mail marketers and users in order to fight spam.

The report starts by acknowledging that the major problem with fighting spam is that much of the offensive e-mail traffic emanates from spoofed sites created by relaying messages off of innocent IP points. Spammers take advantage of security flaws in the Internet infrastructure including proxy software, mail server software, and CGI scripts, and more recently have created viruses that build e-mail server environments that turn innocent home users into spammers.

All of this adds up to a series of false identities for spammers to hide behind, and the thrust of ASTA's work has been to provide a more certain way to identify an e-mail sender such that recipients can be sure of who their e-mail is coming from. The group is specifically not addressing the opt-in/opt-out problem, and is only focused on making sure that legitimate mass e-mailers get their messages through while spammers do not.

ASTA is attempting to recognize in its work that the Internet Engineering Task Force has not adopted some proposed standards because there is a need for a critical mass of Internet mailboxes to be compliant if they are to take hold. The group believes that it represents such a critical mass, but it also recognizes the other major problem the IETF has, which is that no single solution, however complex or simple, will serve the needs of all users in such a large international community as the Internet.

Curbing E-Mail Forgery

All that aside, the group makes several specific recommendations to address particular problems, the most famous of which are the proposals to establish sender identity. The two methods most often discussed here and at industry conferences are sender authentication and digital signatures. The sender authentication approach now favored is SenderID, which combines Microsoft's proposed CallerID with Meng Wong's Sender Profile Framework. This method modifies the SMTP message header with information that must match a portion of the sender's DNS record.

The digital signature approach is Yahoo!'s Content Signing system which uses a private and public key pair to verify the sender. Key exchange mechanisms make a sender's public keys available on the Internet, and the private keys are stored on the sender's mail servers. A digital signature is generated in the e-mail message, and the recipients e-mail server retrieves the public key to verify the sender's identity.

ASTA plans to test both methods during the next year. It seems likely from the conversation during a conference call held by the group that some form of both methods will be adopted.

Recommendations for ISPs

While better known for its work in sender authentication, ASTA believes that such a technology is only one part of the solution to the spam problem. As a result, the group's report included several recommendations for changes to the practices and policies of mail-hosting ISPs.

These changes have to do with the general security of the e-mail server environment, how users are allowed to attach to it, and even how users are allowed to sign up for accounts with ISPs. While not emphasized in public discussions, including ASTA's conference call, the report emphasizes that these recommendations are at least as important to stopping spam as is sender authentication.

1. Close All Open Relays

Mail servers that allow third parties to relay mail through them without authentication let spammers remain anonymous, and such relays should be reconfigured as secure relays.

2. Monitor Formmail.pl And Other CGI applications

Formmail is used by web sites to send an e-mail to the site owner when a visitor submits information to the site, and the program can be installed insecurely. ASTA thinks that web site hosting organizations should regularly scan for programs that can insecurely send e-mail.

3. Configure Proxies for Internal Network Use Only

Open proxies can be used to anonymously send e-mail to any address, and allow communications on ports other than SMTP's standard (i.e., port 25) e-mail communications port. All proxy software should be configured to allow only internal network users to use the proxy.

4. Detect and Quarantine Compromised Computers

Viruses, worms, and other malicious software allow spammers to deposit back door proxies and open relays on user computers. All ISPs should develop methods for discovering such zombie computers either before they send spam, or when they send e-mail which is clearly spam. Such compromised computers should be removed from the network, quarantined, and not returned until repaired.

A secondary solution is to block Port 25, which is the route used by TCP/IP for outbound SMTP e-mail. Exceptions may be made for users with legitimate outbound e-mail needs.

5. Implemented Authenticated E-Mail Submission

SMTP does include sender authentication in the form of SMTP AUTH that could be required of e-mail senders. ISPs can also require e-mail senders to switch from Port 25 to Port 587 (Standard Mail Submission port for secure mail), which further enables shutting down SMTP's Port 25.

6. Remove Remote Access To Customer Premises Equipment

Spammers often use small business and home routers as relay points or proxies from which to forward spam. ISPs should check to make sure that remote access to such equipment is disabled, or that at least the equipment does not respond to a default (factory) password.

7. Implement Rate Limits On Outbound E-Mail Traffic

Compromised home and small business computers will send spam as an e-mail running at extraordinary rates, which is easy to detect. However implemented, such a "tar pit" approach will limit zombie-driven spam e-mail.

8. Control Automated Registration Of Accounts

Spammers have created methods for automatically registering millions accounts, especially with free ISPs, which can subsequently be used for spam, virus, or Denial of Service attacks. ISPs should develop methods to prevent such automatic generation of accounts.

9. Close Insecure Redirector Services

Redirection services that normally count clicks for advertisers on web pages can also be used by spammers who create what looks like a legitimate advertising site, and is used for acknowledging test-and-response messages among other things. These services should be secured so that third parties cannot use them without permission, and payment.

10. Develop Complaint Reporting Systems

All ISPs should develop a system that allows customers and external parties to report spam easily.

ASTA also had several recommendations for mass marketers to follow, which generally followed guidelines set down by the Direct Marketing Association and other industry groups. They included using opt-in, using valid domain names in reply-to addresses, and similar proposals. The group recommends that consumers to become more educated on the problem, to learn not to expose themselves to spam, and to use the anti-spam tools that are widely available to them.

The complete ASTA proposal can be found at each adopting company's Web site:

• AOL
• Earthlink
• Microsoft
• Yahoo