E-Mail Coalition Floats New Anti-Spam Plan
"When we decided to address this problem, we had two options," Brondmo told a packed luncheon meeting Wednesday at the ISPCON conference here.
"We could have built a whitelist on steroids for our members, or we could have built a solution for more than our 28 members," said Brondmo, who is also a member of the coalition. "I am proud to announce that all 28 members opted for the latter solution."
Code named "Project Lumos," the anti-spam plan calls for a registry-based approach to eliminate spam by holding senders accountable for the mail they send.
The NAI ESPC, a coalition of 28 companies that advertise over the Internet (Digital Impact is a founding member), is concerned that spam filters block as much as 15 percent of their members' messages in error through false positives.
Brondmo noted that systems vary in quality and that false positives abound -- one blacklist blocks the entire nation of the People's Republic of China, he claimed.
NAI ESPC members are frustrated that current anti-spam policies punish most severely those mass mailers who adhere most strictly to best practices -- those who post legitimate unsubscribe addresses and do not hide their identity. In contrast, spammers that fake their identity or exploit network vulnerabilities to send mail from locations they do not own are not punished by current anti-spam solutions.
With that in mind, Brondmo said the new approach consists of combining e-mail marketers' best practice with technological and legislative solutions to ensure that all parties -- ISPs, marketers, and e-mail recipients -- are protected.
The coalition said "Project Lumos" would deploy a certification process that requires e-mail senders to verify their identity, adhere to best practices and then objectively monitor their performance.
Brondmo said project would unfold in three phases. The first consists of a dialog between the NAI ESP, ISPs, and other concerned parties. The second phase would involve building and establishing a filtering system, which could take 36 months. The final phase, which will be ongoing, would be the continuous updating and improving of the registry system.
"The project has no owner," said Brondmo. "It's a blueprint, a discussion." Brondmo said that progress in any one dimension of the project must be reinforced by progress on the other two fronts.
The more detailed blueprint consists of the following four policies:
Certification -- The project would create specific rules concerning the structure and function of an unsubscribe link on an e-mail. It would also certify senders according to the type of mail they send, its volume, and their organization's complexity.
An individual who sends few e-mails could remain anonymous, whereas a large international organization would have to adhere to a more rigorous system that would involve ensuring that all employees in every nation understand and follow best practices.
Standards -- The organization would ensure that every e-mailer's identity would be defined and would remain the same, and would standardize abuse reporting and e-mail categories to protect ISPs, marketers, and mailbox owners. If any e-mailer's identity was public, that e-mailer could be blocked by the ISP or by the individual.
Policies -- Other specific abuses, such as dictionary attacks or even sending e-mails using an out of date list with a significant bounce rate, would be handled in a standardized manner.
Performance -- A rating system would track the number of complaints against organizations and their effectiveness in responding to complaints.
The system would require a registry, similar to that for IP addresses, domain names, or SSL certification. The registry would maintain a list of the identities of senders protected by a Public Key Infrastructure (PKI), and keep track of their behavior, posting ratings such as those used by the U.S. financial system.
With the floor opened for questions, the debate began:
"Why not make DNS [domain name servers] more secure, and simply use reverse DNS lookup?" attendees asked. The NAI ESPC said it believes that DNS cannot be made secure.
"Why is the IETF [The Internet Engineering Task Force] not involved?" IETF processes would take too long for an undertaking as ambitious as this, the coalition said.
Asked another: "Won't a PKI [public key infrastructure] require a repository of public keys, creating a single point of attack? Who would build and maintain the repository?" The PKI solution would never be 100 percent secure, came the reply.
When questioned about free speech lawsuits, the coalition said it did not believe it would be prohibiting people from saying things, only prohibiting them from broadcasting them to hundreds of millions of people. "They could still use the viral method, sending to 100 senders, each of whom could send to 100 more, and thus reach a large number of people if their message was compelling."
Although the debate over the proposal has begun, Brondmo said he expects it to last for several months at the very least.