Soap Box: ISPs Must Back Common Anti-spam Policies, Technologies

Posted: 9/2003

ISPs Must Back Common Anti-spam Policies, Technologies

By Laurence S. Donahue, Esq.

The wave of disgust over unwanted,
unsolicited, offensive and fraudulent e-mail is reaching a fever pitch in the
United States as Congress faces pressure from consumer groups and state
attorneys general to take a hard-line approach to curbing these annoyances.
Americans overwhelming response to the federal Do-Not-Call list earlier this
summer has added fuel to the fire, giving Congress the incentive it needs to
tackle an issue that creates just as much consumer anger and backlash as
unsolicited telemarketing calls.

The ISP industry primarily is to blame. ISPs have failed to
combat spam using a thoughtful and consistent approach that is born from an
industry consensus. Instead, individual service providers have reacted
irrationally to spam through fragmented and often draconian anti-spam policies.
Such policies have left legitimate businesses and customers caught in the
crossfire. Their policies have increased the cost of spam for the entire
industry because backbone providers and ISPs are spending their valuable time
and money resolving disputes and countering other ISPs anti-spam efforts.

The irrational behavior of some ISPs is reflected in the fact
that some providers simply block all e-mail from Asia as they attempt to stop a
number of spam messages coming from that region. As one Asian resident
complained, his e-mail has a one-in-five chance of reaching the United States.
Most ISPs and their backbone providers have implemented strict acceptable use
policies that block bulk e-mail after just one spam warning. Such practices have a dampening effect on businesses that need
to use e-mail as a legitimate means to reach customers. For example, magazine publishers with e-mailbased publications
are fending off spam complaints by the spouses of shared e-mail boxholders. As a
result, such businesses are forced to become nomads, jumping from one service
provider to another.

Other ISPs have implemented anti-spam solutions that require
proper reverse name lookups to avoid tagging e-mail as spam. Proper reverse name
lookup means the senders email address must match the reverse name lookup
(i.e. domain name) of the IP address identified in the e-mails
message headers. The problem is, most service providers do not, or cannot (in
the case of name-based, shared Web hosting providers), provide accurate reverse
name lookups. This creates a very unstable environment for legitimate e-mail
that is falsely identified and filtered as spam, as well as e-mail
incompatibility between service providers. The alternative is to close the doors
of name-based, shared Web hosting providers and open up the other ISPs to
customer poaching by their competitors.

In this ad hoc environment, it doesnt matter whether an
accused spammer is guilty or not. Anyone can generate a spam complaint, and very
rarely does the accused receive a fair hearing about whether the complaint is
legitimate. Backbone providers usually lump spam complaints into one
category regardless of whether the complaints are justified or not and
rationalize backbone termination, or the threat thereof, simply based on the
number of complaints received. Just about every ISP or Web hosting company has
had to contend with inappropriate blacklisting and its devastating consequences
when another ISP uses blacklists at the router level to the detriment of one or
more of its customers.

The ISP industry must move swiftly and collectively to show
that it can work together to effectively combat spam in a proactive way rather
than implementing illogical reactionary policies that hurt legitimate users. The
industrys unified voice and input into anti-spam legislation is needed now
more than ever. Otherwise, ISPs face some devastating consequences. Congress now
is considering 10 different federal spam-related bills (see story on page 62).
All miss the mark in terms of providing solid safe-harbor provisions for ISPs
and Web-hosting companies, neither do they account for the realities of
transnational borders and ISP industry practices. If the ISP industry does not
provide clear guidance to government bodies creating legislation, these untested
and imprecise laws are sure to be litigated in the courts.

Consider the Anti-Spam Act of 2003 (H.R. 2515) introduced on
June 18 by Rep. Heather Wilson (R-NM). This bill appears to have the most
momentum in Congress and, if it becomes law, requires all commercial e-mail be
identified as such and include the senders physical street address and an
opt-out mechanism. The bill would prohibit e-mail with false or misleading
message headers or misleading subject lines, and would make it illegal to send
commercial email to addresses generated by an automated dictionary attack. This
proposed law, however, contains inadequate safe-harbor provisions for ISPs or
Web hosting companies. In fact, the bill offers a cause of action to ISPs against
spammers or other ISPs, and lacks clarification of key definitions such as pattern
or practice of violations or initiator. These vague references easily could be applied to a number of
scenarios where ISPs find themselves the subject of a lawsuit. For example, could an ISP with 50,000 customers and an average
of five spam violations a week be considered to show a pattern of
violations? Suppose the same ISP provided some tools to facilitate legitimate
bulk e-mailing?

In fact, none of the anti-spam legislation proposed or
actual at the state and federal level takes into account that ISPs are in
the unfortunate position of enforcing and responding to private or ISP-based causes of action. Most true spam contains forged headers, hides the sender and
can be routed through anonymous servers or compromised relays. ISPs will be
called to the task of proving, defending or validating actual senders,
recipients, relays or forgeries. False positives are a lingering problem today
between backbone providers and ISPs. Imagine applying false positives in a legal context with
plaintiff attorneys who dont have a lawsuit without a U.S.-based defendant,
and judges with little patience for the business practices of service providers. Moreover, most ISPs do not store e-mail logs because the heavy
volume of e-mail that travel over their systems makes the logs extremely large
and onerous, but the proposed legislation could force ISPs to maintain, store
and archive e-mails for use in litigation or other defensive purposes.

Any federal legislation enacted also must trump the fragmented
standards set by various state laws. Today, a service provider, such as my company, FatCow Web
Hosting in New Mexico, can be sued in another state using the New Mexico
Anti-Spam Statute, and that other state can be put into the position of
interpreting New Mexicos law. This creates significant unpredictability for
an ISPs ability to manage spam legislation requirements. As seen with state legislation, safe-harbor provisions for
ISPs and Web hosting companies are not absolute. An inadvertent open relay,
which occurs when an e-mail mail server processes an e-mail message where
neither the sender nor the recipient is a local user, could result in a cause of
action in Wyoming and a few other states.

Dialogue among ISPs and Web hosting companies must start now.
Various ISPs, through their contrasting testimonies on Capitol Hill, already
have given Congress the message that the industry is not unified on how best to
combat spam. Suggestions have ranged from legal-only solutions at the federal
level to technology-only solutions at the option of the industry and consumers.

The truth of the matter is, the best solution will be an
appropriate mix of law and technology. From the legal perspective, only an
international, multilateral treaty sponsored by the World Trade Organization
(WTO) or the United Nations (UN) will do. This treaty should then be enforced
and enacted by federal law. From the technology perspective, the federal
government (perhaps through DARPA) should work on new technology standards that
the industry can embrace, as well as fund research for commercial-based
solutions that dont create incompatibilities within the network.

No governmental body can act across all borders of the
Internets international network. Thats why the ISP industry must strongly
advocate and lobby government leaders to fund research into a new and
more-effective mail transport protocol (MTP). Simple Mail Transport Protocol (SMTP) originally designed
for open, free and efficient e-mail communications no longer is a viable
solution. SMTP was designed under the presumption that the burden of cost was
equally shared among all participants, but the influx of spam now creates
inequities in cost sharing. A new MTP that contemplates cost shifting while continuing to
support the benefits of e-mail must be considered because it can address the
Internets diverse cultures, laws and costs.

The financial ATM network serves as an example of this
capability. Although the network is proprietary, it was created with trust
relationships in mind, enabling it to transfer trillions of dollars around the
world without losing a penny. The concepts behind the ATM network could shed
light on what a new MTP might look like: A network system that supports e-mail
by properly allocating costs among the participants in proportion to their use
and benefit, without regard for borders or cultures.

Neither the public nor the government fully understands nor
appreciates the challenges facing ISPs. Its up to the Internet industry to
define common approaches to dealing with spam, lobby for more effective
legislation and facilitate new technical solutions that effectively combat spam,
such as the creation of a new MTP. Without this collective voice and effort from the industry,
service providers and Web hosting companies could face mounting lawsuits under
legislation that will largely be ineffective in combating spam.

Laurence S. Donahue, Esq. is COO and corporate counsel for
FatCow Web Hosting. With about 17 years of Internet development expertise for
Fortune 500 companies, he is an Illinois-registered patent attorney specializing
in intellectual property, contracts and Internet law.

PHONE+ invites you to air your views.

Call us at +1 480 990 1101 or e-mail [email protected]