FTC Issues Advisory To Lock Down Spam Relays
Jan 30, 2004 2:17 PM PT
In the face of criticism that any legislative efforts to curb spam will be limited by national boundaries, the Federal Trade Commission has announced collaboration with 36 agencies in 26 countries to inform ISPs and other organizations that their servers can be used to relay spam with spoofed Internet addresses.
The FTC said it and the other agencies have identified tens of thousands of open relays -- machines that allow any computer in the world to route e-mail -- around the world. The FTC's "Operation Secure Your Server" entails notifying organizations of holes in their servers and urging the organizations to close those holes.
"Government cannot solve the spam problem on its own," said Howard Beales, director of the FTC's Bureau of Consumer Protection. "Everyone with an Internet connection must do their part to make sure that they are part of the solution and not part of the problem."
Gartner research director Maurene Caplan Gray told TechNewsWorld that the effort is good in that it has international reach, but she said she doubts it will have much impact on the growing volume of spam that makes its way to e-mail inboxes of both corporations and consumers.
"This is not going to eliminate spam," Caplan Gray said. "Is it going to make a dent in the spam that's out there? Not significantly. I look at this as good corporate citizen action, and that's all it is."
While he said it is still too soon to tell how many organizations are at issue because the FTC is still looking up server owners, FTC Internet lab director Don Blumenthal told TechNewsWorld that the agency has found more than 1 million IP numbers suspected as open proxies or relays -- all of which, in theory, could be used by spammers.
Notifying businesses and other organizations in Albania, Argentina, Australia, Denmark and the United Kingdom -- among other nations -- the FTC and equivalent agencies suggested several questions for organizations to ask themselves to determine whether their technology could be complicit in sending and spoofing of spam.
The notice from the FTC asks server owners to determine whether they are using the most current version of proxy software and hardware, whether they are applying the latest available patches and upgrades, and whether they have a dedicated e-mail address for reporting illegitimate proxy use.
Regardless of the debate over the effectiveness of antispam legislation, there is agreement that U.S. law is limited in its impact on unwanted e-mail because spammers can easily work outside of the country -- or at least can send their spam messages using open relays that are outside the country.
"Legislation is tough because the Internet knows no boundaries," Caplan Gray said. "The good part of this is the fact that it's an international effort as opposed to a U.S.-only effort."
The FTC, which created the Secure Your Server Web site to advise on how to prevent becoming an unwitting spam distributor, said this year's operation comes on the heels of a similar effort last year.
Spam and Shame
The FTC's Blumenthal indicated the organizations contacted range from small to large companies and other groups that consist basically of "anybody who has a proxy server" in place. The agency said spammers often abuse such servers to flood the Internet with unwanted e-mail, overloading servers and also damaging the reputation of an unwitting business, which ends up appearing to have sent the spam.
Caplan Gray chastised ISPs and other companies or organizations that allow their mail servers to be used as third-party relays, calling such protection measures "very, very basic security."
Still, she said, the companies and other groups contacted by the FTC and foreign equivalents are likely to welcome the heads-up to the problem. "They're probably going to say, 'Oh gosh, we didn't know that,' and fix it," she said. "Why would they want to have spam appear as if it's from their domain? That's bad business."
Blumenthal said response to the last round of about 2,000 advisements was relatively small, but the feedback that did come in was positive.