In Fight Against Spam, No More Excuses for ISPs

 
 
By Larry Seltzer  |  Posted 2005-05-25 Email Print this article Print
 
 
 
 
 
 
 

Opinion: All we are saying is give port 25 blocking a chance.

Ive been beating a steady drum for a while now for the cause of getting ISPs to block unrestricted use of TCP port 25. Its not world peace, but its more important than most people recognize. Now the FTC has taken up the cause of fighting "spam zombies," including port 25 blocking as a means. It really does look as if the FTC understands the problem, including the fact that its an international one, and the commission has involved governments around the world in this effort. Its not just about blocking port 25; its about blocking accounts that abuse the network. This is a tough thing for ISPs to do, especially the small ones, since it means getting hostile with a paying customer.

The whole thing is under advisory, but I like the direction its going. The end result should be to make it easy for ISPs to make things more difficult for the criminals who perpetrate spam and viruses on us, and easier for users to adapt to the new, more secure environment.

I dont want anyone to get the idea Im worried about how hard ISPs have had it. Almost as a rule, they have stonewalled on this and other efforts they could have undertaken. Clearly some are better than others, but the basic problem is that they are more focused on inbound spam protection because thats what they sell to customers. The FTC initiative is about focusing on outbound spam protection.

And because lip service is all you can expect from some of these ISPs, the FTC has hired an auditing service (ICG Inc. of Princeton, N.J.) to start tracking zombie behavior. I hope that this will be used to praise some ISPs for their diligence and humiliate others who are lax in their enforcement.

After last years debacle in the IETF and the general failure of Internet standards groups to do anything to address the deficiencies in Internet e-mail, its clear that some other agency or agencies will have to step in and effect change. Spam and malware have gotten ordinary people mad enough that most wouldnt be the least bit upset to see government intervention; if anything, a voluntary effort like the FTCs may be seen as too meek. A big part of the effort will fall to private industry as well.

Some ISPs have taken it on themselves to play hardball. Some, like SBC, are already blocking port 25 or at least experimenting with it. Some, like AOL (which has unique mail issues), are very aggressive on both the inbound and outbound sides.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. There are companies like MX Logic that are developing products to make good practice easier for ISPs. The companys new SRG (Sender Reputation Gateway) tracks user behavior, looking for changes indicative of system compromise. Joes ISP running on the cheap on free software isnt going to shell out the bucks for a system like this, but you get what you pay for. In fact, while the larger ISPs are larger targets, I suspect the average user is more secure with them because they are in a better position to defend themselves and their customers from attack.

There are also some companies that are almost pure victims in this. Consider the plight of the major hosting services, such as Interland and Verio. They send out comparatively little mail, but they receive as much spam every day as a major ISP. Theres little they can do other than to tighten their filters, a dangerous strategy.

Its the ISPs that have to be fighting this battle, and we cant accept any more excuses from them about why they arent. Its going to cost them money, in terms of infrastructure they have to develop, support calls they will have to take and the loss of customers who wont put up with best practices. Too bad. If, in the end, the cost of Internet access goes up in order to solve the problem of zombies, too bad on that too, but a good trade-off.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. More from Larry Seltzer
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel