Posted on: Saturday, April 16, 2005
New efforts to halt junk e-mail try to stop it from being sent
By Anick Jesdanun
Associated Press
NEW YORK — There's a new strategy in the spam battle: Call it containment.
Filters for blocking junk e-mail from inboxes have improved to the point that doing much more will needlessly kill legitimate e-mail, said Carl Hutzler, America Online Inc.'s anti-spam coordinator. So e-mail gatekeepers are shifting gears.
They're getting more aggressive at keeping spam from leaving their systems in the first place.
EarthLink, for instance, is phasing in a requirement that customers' mail programs submit passwords before it will send their e-mail.
Like most Internet providers, EarthLink previously made sure only that a computer was associated with a legitimate account. Now that viruses can co-opt computers and use them to send spam, that's no longer secure enough.
So Earthlink sent out new software, made tools available for download and walked customers through changing their settings when they called tech support for other reasons. A year into the initiative, EarthLink has 80 percent of its customers converted.
"Any action can be a little daunting when you're trying to migrate millions of people," said Stephen Currie, EarthLink director of communications products.
It also costs time and money — not insignificant considering that direct benefits don't necessarily go to EarthLink.
But more than altruism was involved. "If there's a lot of spam or abusive mail coming from a particular network, in the future you're going to see that e-mail having low rates of deliverability," Currie said.
In other words, other Internet service providers might start blocking EarthLink e-mail if it doesn't adopt outbound controls.
The pressure to improve outbound controls comes as viruses infect more and more home computers and convert them into spam-relaying "zombies."
These zombies allow spammers to pose as legitimate customers and get around blocks that Internet providers might have had in place.
Although anti-spam advocates say Internet providers can do more to stop spammers from signing up for accounts, Hutzler blames zombies for 90 percent of the spam problem.
Traditional spam controls, the inbound filters, don't work as well with zombies because they can block mail from legitimate customers, too. Outbound controls can target specific zombies.
"The best place to stop spam is before it's sent," said John Reid, a volunteer with the Spamhaus Project anti-spam group. "If you can keep it in the bag, bottled up, that's where it's the least expensive."
For years, anti-spam advocates have been pressuring ISPs to configure mail servers so spammers can't use them to relay junk e-mail. The leading vendor of mail server software, Sendmail Inc., closed such relays by default in 1998, and most ISPs now have the newer software. EarthLink and AOL also have long implemented a technique that forces customers to route e-mail through the providers' own mail servers, instead of sending messages directly to the Internet.
Other ISPs are starting to adopt it as well, giving them the ability to monitor outgoing mail, trace any problems to specific accounts and block or place speed limits on e-mail that exceeds some hourly or daily threshold.
ISPs can also run the spam and virus filters on outbound mail.
And when users of Microsoft's Hotmail try to send a large number of messages, they are prompted to type in random letters displayed on the screen. Presumably, spammers with automated tools wouldn't be able to do it.
But outbound measures are often difficult to justify because they don't directly pare down the junk in customers' inboxes as inbound filters do, said Anne Mitchell, who runs the Institute for Spam and Internet Public Policy, an anti-spam consultancy.
Mitchell said ISPs are businesses and "have to look at the bottom line and their profitability." Besides implementation costs, outbound measures can hurt legitimate customers.
Businesses and some individuals might have a legitimate need to access third-party mail servers, and being forced to go through their providers' systems might cause their e-mail to be mistakenly tagged as spam by the recipient.
