Formed in April last year, the Anti-Spam Technical Alliance
(ASTA) yesterday released its recommendations for battling the
scourge of spam.
The proposal provides recommended actions and policies for ISPs
and e-mail service providers (ESPs) as well as large senders of
e-mail including governments, marketers and private companies.
These recommendations target two key issues: e-mail address
forgery; and stopping the exploitation of vulnerable ISPs and their
customers to send spam.
E-mail address forgery
According to ASTA, one of the key problems with today's e-mail
infrastructure is that messages do not contain enough reliable
information to enable recipients to decide whether an e-mail
message is legitimate and reliably identifies the sender.
Spammers take advantage of this and commonly disguise the origin
of their messages by forging the sender addresses in their e-mail
using someone else's domain name. This is called "domain
spoofing."
ASTA suggests that the solution to this problem lies in either
the authentication of senders based on their IP (Internet Protocol)
address, or on the basis of content signing.
Content signing, explains ASTA, depends on public/private keys
held by the sender of a legitimate e-mail. The system works by the
generation of a digital signature whenever a legitimate sender
sends an e-mail message. The sender's mail server, on the basis of
a private key held on the server, imprints the signature onto the
message. When the e-mail is received, the recipient server checks
the signature against another publicly available key in order to
verify that sender's identity.
Best practices to combat spam
ASTA recommends that:
- Open relays – configurations on mail servers that allow the
server to accept and deliver e-mail on behalf of any user anywhere
– be made secure.
- Open proxies – configurations on a server that allows
unauthorised internet users to connect through it to other hosts on
the internet (often used in denial of service attacks) – be
reconfigured.
- Computers that have been infected by viruses or malware to
create an open relay (so-called 'zombie' PCs) for the generation of
spam, should be identified by ISPs and quarantined or excluded from
the network until the virus or malware has been removed.
- ISPs should implement e-mail authentication systems
- ISPs should implement rate limits on outbound e-mail traffic –
perhaps a maximum of 150 recipients per hour, and 500 recipients in
one day.
