FTC Shoots Down Spam Registry, Boosts Authentication Scheme

By Dennis Callaghan  |  Posted 2004-06-15

FTC Shoots Down Spam Registry, Boosts Authentication Scheme

The Federal Trade Commission on Tuesday told Congress that a proposed National Do Not E-mail registry was unworkable until a universal e-mail authentication standard was adopted. However, this technological step may in turn make such a registry unnecessary.

The announcement should give another boost to fast-moving initiatives to better authenticate senders of e-mail by improving SMTP, the transport protocol used by e-mail servers. Such authentication would eliminate most spam, say its proponents.

Microsoft Corp.s CallerID initiative recently joined forces with the private Sender Policy Framework group to form the leading e-mail authentication effort. Yahoo Inc. continues to develop its Domain Keys initiative in parallel.

"Do not call works because the phone system has accountability," said Meng Weng Wong, founder of the SPF group and CTO with the IC Group Inc., of Philadelphia, which offers the e-mail forwarding service Pobox.com.

"Telemarketers have to honor the list because if they dont theyll get caught. Because email today has no accountability, a do not e-mail list would be more like a do not break into my house list," Wong continued.

According to Wong, the FTCs move on Tuesday was evidence that legal efforts to stop spam were waiting for technological efforts to catch up.

The FTC in its report to Congress said that it would sponsor an Authentication Summit in the fall "to encourage a thorough analysis of possible authentication systems and their swift deployment."

In the meantime, establishing a Do Not E-mail Registry before such an authentication system has been widely adopted wouldnt reduce spam, might increase it, and would be largely unenforceable, the Commission said.

The Commission was responding to the December 2003, Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) which called for the FTC to develop a plan and timetable for establishing a National Do Not E-mail Registry; explain any practical, technical, security, privacy, enforcement, or other concerns; and explain how a Registry would be applied with respect to children with e-mail accounts.

Some six months after Congress passed a law to reduce the amount of junk e-mail flooding the nations in-boxes, industry experts widely agree that the opposite has occurred: Were getting more spam than ever before. Click here to read more.

The agency said that without sender authentication in place, such a list could become a "National Do Spam" list since it would provide spammers with a registry of valid e-mail addresses.

Michael Sippey, managing director at the Denver e-mail solutions agency Quris Inc., said the FTC was making a smart move by abandoning the Do Not Email List idea for now.

"Federal e-mail authentication is not necessary, now that MS and [America Online Inc.] are doing to do SPF and AOL is in beta checking for SPF from senders," said Sippey, through a spokesman. "We are down the right path in dealing with server anonymity issues of spam."

Next Page: The Quest for a Registry Solution

The Quest for a

Registry Solution">

The Direct Marketing Association also applauded the FTCs announcement. The New York-based DMA has maintained that a Do Not E-mail registry would restrain e-commerce more than it would stop spam.

"It is imperative that there will be an authentication system in place so that consumers and regulators can determine who sent the e-mail and take appropriate action," said Jerry Cerasale, the DMAs senior vice-president for government affairs, in a statement.

Wong said the CallerID/SPF group, now known as the MARID (MTA Authorization Records in DNA) working group, would continue to look for ways to work with Yahoos cryptography-based Domain Keys effort.

"I agree cryptography is necessary in the long run; its just harder to deploy, so we need to do this first," he said.´

Meanwhile, the FTC said it studied three possible registries: a registry containing individual e-mail addresses; a registry containing the names of domains that did not wish to receive spam; and a registry of individual names that requires all unsolicited commercial e-mail to be sent via an independent third party that would deliver messages only to those e-mail addresses not on the registry.

The Commission said it reviewed registry proposals from some of the nations largest Internet, computer, and database management firms, and consulted with more than 80 individuals representing more than 50 organizations including consumer groups, e-mail marketers, anti-spam advocates, and others. It also demanded information from the seven ISPs that control over 50 percent of the market for consumer e-mail accounts, and retained the services of three of the nations pre-eminent computer scientists before drawing its conclusions.

"Without effective authentication of e-mail, any registry is doomed to fail," the FTC report concluded. "With authentication, better CAN-SPAM Act enforcement and better filtering by ISPs may even make a registry unnecessary."

Check out eWEEK.coms Messaging & Collaboration Center at http://messaging.eweek.com for more on IM and other collaboration technologies.

Be sure to add our eWEEK.com messaging and collaboration news feed to your RSS newsreader or My Yahoo page

Rocket Fuel