Anti-Spam Alliance Makes Authentication Push

An anti-spam alliance including Yahoo, Microsoft, EarthLink and America Online, Tuesday issued recommendations for curbing spam focused on best practices and authentication.

Following the lead of the Federal Trade Commission, which last week recommended authentication as a key technique for fighting spam, the Anti-Spam Technical Alliance (ASTA) recommended the approach Tuesday. Such procedures help identify the sender of email, a critical element to fighting spam, according to the ASTA and other industry players.

“At Microsoft, about 50 percent of the spam we get has a spoofed domain. Having authentication in place will help stop spam,” said Ryan Hamlin, general manager of Microsoft’s anti-spam technology and strategy group, discussing the recommendations in an ASTA conference call Tuesday.

Ken Hickman, Yahoo’s senior director, mail platforms, added that, “The authentication issue is also critical to protecting users from spoofing and phishing.”

Spoofing, and the related practice of phishing, are growing problems, both for consumers who are victims, and for brands misrepresented. Phishing scams are estimated to have caused between $13.5 billion and $16.4 billion in damage worldwide in 2003, according to security firm mi2g. Zombie hosting — in which spammers commandeer users’ computers without their knowledge and use them to send bulk mail — is another major problem, the ISPs said in the conference call.

The Big Four ISPs are distributing the guidelines via their Web sites. The guidelines give specific suggestions to ISPs, legitimate bulk emailers and consumers for fighting spam. ISPs are advised to block or limit access to a specific port (Port 25), implement rate limits on outbound email traffic and control automated account registration, among other things. Consumers are advised to install firewalls on their PCs and to use anti-virus software and spam filtering technologies.

Recommendations to legitimate bulk emailers suggest that mailers not harvest email addresses through SMTP or other means, that they should register their email domains with a creditable safelist provider and provide clear unsubscribe and opt-out instructions, among other things.

The group said bulk emailers are part of “the email community” and that it does not recommend limits on the amount of legitimate email sent.

“Bulk emailers who are sending mail our members want are a big part of the email community. A big part of our discussion was how to satisfy that group,” said Stephen Currie, director of product management for EarthLink. Currie said feedback from legitimate emailers would be an important part of the feedback the group seeks “when we go to the next steps with this.”

Carl Hutzler, director of anti-spam operations for AOL, said, “Bulk emailers account for 150 million emails a day into the AOL system. The good ones, the ones on our whitelist, generate very few complaints.”

ASTA’s recommendations focused on two forms of authentication, an IP address-based approach, of which sender policy framework (SPF), currently being tested by AOL and Microsoft, is an example. Microsoft is in the process of merging SPF with its Caller ID for E-Mail to create a new protocol called Sender ID.

The other form is content signing. Yahoo’s DomainKeys authentication proposal is an example of this approach.

AOL plans to have Sender Policy Framework (SPF) email authentication in place by the end of summer and has been testing the protocol, according to Hutzler. “We are also looking at content signing, hoping to at least sign our mail by fall or the end of the year.”

Hamlin said Microsoft expects to go public with testing results by the end of “this calendar year.” He would not give a hard date as to when the procedure might be implemented.

Authentication is a critical first step in spam-fighting, with reputation a key element to follow, according to Currie of EarthLink.

Noting that “reputable marketers have been clamoring for a way to exclude spam from the inbox,” Al DiGuido, CEO of Bigfoot Interactive, applauded the ASTA “and the work they’ve done in setting the guidelines to bring the ISPs together to set the standards from an authentication standpoint.” Describing authentication as a “great leap forward,” DiGuido opined that “some form of digital postage stamp” is key in spam-fighting as well.

Related reading