In Fight Against Spam, No More Excuses for ISPs

Opinion: All we are saying is give port 25 blocking a chance.

Ive been beating a steady drum for a while now for the cause of getting ISPs to block unrestricted use of TCP port 25. Its not world peace, but its more important than most people recognize. Now the FTC has taken up the cause of fighting "spam zombies," including port 25 blocking as a means.

It really does look as if the FTC understands the problem, including the fact that its an international one, and the commission has involved governments around the world in this effort. Its not just about blocking port 25; its about blocking accounts that abuse the network. This is a tough thing for ISPs to do, especially the small ones, since it means getting hostile with a paying customer.

The whole thing is under advisory, but I like the direction its going. The end result should be to make it easy for ISPs to make things more difficult for the criminals who perpetrate spam and viruses on us, and easier for users to adapt to the new, more secure environment.

I dont want anyone to get the idea Im worried about how hard ISPs have had it. Almost as a rule, they have stonewalled on this and other efforts they could have undertaken. Clearly some are better than others, but the basic problem is that they are more focused on inbound spam protection because thats what they sell to customers. The FTC initiative is about focusing on outbound spam protection.

And because lip service is all you can expect from some of these ISPs, the FTC has hired an auditing service (ICG Inc. of Princeton, N.J.) to start tracking zombie behavior. I hope that this will be used to praise some ISPs for their diligence and humiliate others who are lax in their enforcement.

After last years debacle in the IETF and the general failure of Internet standards groups to do anything to address the deficiencies in Internet e-mail, its clear that some other agency or agencies will have to step in and effect change. Spam and malware have gotten ordinary people mad enough that most wouldnt be the least bit upset to see government intervention; if anything, a voluntary effort like the FTCs may be seen as too meek. A big part of the effort will fall to private industry as well.

Some ISPs have taken it on themselves to play hardball. Some, like SBC, are already blocking port 25 or at least experimenting with it. Some, like AOL (which has unique mail issues), are very aggressive on both the inbound and outbound sides.

28571.gif

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

There are companies like MX Logic that are developing products to make good practice easier for ISPs. The companys new SRG (Sender Reputation Gateway) tracks user behavior, looking for changes indicative of system compromise. Joes ISP running on the cheap on free software isnt going to shell out the bucks for a system like this, but you get what you pay for. In fact, while the larger ISPs are larger targets, I suspect the average user is more secure with them because they are in a better position to defend themselves and their customers from attack.

There are also some companies that are almost pure victims in this. Consider the plight of the major hosting services, such as Interland and Verio. They send out comparatively little mail, but they receive as much spam every day as a major ISP. Theres little they can do other than to tighten their filters, a dangerous strategy.

Its the ISPs that have to be fighting this battle, and we cant accept any more excuses from them about why they arent. Its going to cost them money, in terms of infrastructure they have to develop, support calls they will have to take and the loss of customers who wont put up with best practices. Too bad. If, in the end, the cost of Internet access goes up in order to solve the problem of zombies, too bad on that too, but a good trade-off.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

28571.gif

Check out eWEEK.coms for the latest security news, reviews and analysis.

More from Larry Seltzer