Alan J. Archer's story is undoubtedly familiar to IT managers and security officers.
A contractor at the government agency where Archer works as an IT specialist is confronted with hundreds of pieces of spam among the legitimate messages in his inbox. While deleting unwanted messages, the contractor inadvertently opens an e-mail that sets a virus loose on a slew of unprotected machines on the agency's network.
Such is just one consequence of spam, which drain an enterprise's resources and remains a growing threat to a company's systems and data. But ISPs are getting a boost to address it in the form of several recommendations recently issued by the Anti-Spam Technical Alliance (ASTA), whose participants include Yahoo! Inc., Microsoft Corp., EarthLink, America Online Inc., British Telecom and Comcast.
Chief among them, that "ISPs should implement rate limits on outbound e-mail traffic through the ISP's primary SMTP gateway hosts," according to an ASTA statement. The group suggested setting rate limits for a consumer-oriented ISP to a maximum of 150 recipients in one hour and 500 recipients in one day.
Other recommendations, ISPs should:
- Open relays should be reconfigured as secure relays. ISPs should test all remote mail servers that connect to that ISP to ensure that they are not configured as open relays or subscribe to third party open relay lists available from many antispam organizations.
- Regularly scan for misconfigured or outdated programs that can be used to create e-mail.
- Ensure an off-the-shelf proxy should be configured to only allow users on the internal network to use the proxy. ISPs should test their customer's proxies to determine if any are misconfigured and could allow for third party abuse.
- Develop methods for discovering compromised computers and quarantine those that show signs of infection.
- Implement authenticated e-mail solutions that require valid credentials from users before they can send mail, usually a username and password.
- Develop and implement methods for blocking the automated generation of accounts. For example, verify that a registration request isn't being generated by an automated script.
- Secure all Web-based redirectors that could be used by third parties without permission.
- Develop a system for customers and external parties to report spam. The system should be simple to use and keep the content of the original e-mail intact so that it can be used to improve filtering and potentially trace spammers for litigation purposes.
Chad Masseker, president and CEO of service provider Carceron Systems LLC of Atlanta, said the malleable e-mail "from" field is the biggest issue. "This has the ability to cause, at a minimum, dissent and disinformation throughout an organization or between other relationships," he said.
Calling this a "critical problem," the ASTA said it has begun testing several technologies to provide a more secure e-mail identity and prevent spoofing, including securing the domain portion of the e-mail address, which is located to the right of the @ symbol. The IETF working group MTA Authorization Records in DNS is testing identity technologies to find a solution to the problem.
A recent survey commissioned by Symantec Corp. pointed out that 79% of the 100 IT managers surveyed said spam was a problem in their company and one likely to hang around for at least another three years. Fifty percent of end users (300 were surveyed) also regarded spam as a problem. Read the full text of the recommendations.