Australia, icode, ISPs, zombies and outbound spam – a solution?
ISPs are coming under increasing pressure to be more proactive in their users’ security, with particular reference to outbound spam. This pressure comes from users, governments, and the ISP’s own bottom line. The problem is that the ISP’s mail servers will be blacklisted if the rest of the internet decides it is serving too much spam. The difficulty is that individual users are usually unaware that their PCs have been zombied and they are the cause. The result is that email services for both the innocent and guilty customers are interrupted by the blacklisting.
This could have a serious effect on the ISP’s bottom line. Firstly, there is the cost of getting off the blacklists so that it can carry on serving its innocent customers. If it can keep them. Secondly, a research study undertaken for email company CommTouch by Osterman Research (June 2010) shows that
Resolving the outbound spam issue can help service providers to retain customers: our research found that 56% of end users whose outbound email was blocked because of their providers’ outbound spam problem would probably or definitely switch to a provider that would not block innocent users.
The same study also finds that users are not unreasonable:
Outbound spam is also a high priority issue for end users: when asked about their preference for email providers that actively ensure that spam is not sent out from their networks, 80% believe that this is important or extremely important. Further, 87% believe it is important or extremely important for email providers to actively eliminate zombies – a primary source of outbound spam – from their networks.
But for most users, spam is something sent by other users and only received as a problem. A PC user that has been zombied will almost certainly not know it. If he has security defences they will have been breached and the user will carry on in a blissfully false sense of safety. If he has no security then he has no understanding of the internet, threats, spam or zombies. Either way, the user is often the last person to recognise that he is an unwitting source of spam.
Technically, however, the user’s own ISP is in a better position, via its own filters, to be able to recognise that an individual user is a source of spam. The user will think it’s a mistake. So if the ISP simply blocks that user, the user will most likely move to a different ISP.
It’s a difficult problem. Enter governments. They, of course, have their own interest. One of their responsibilities is to protect their national infrastructure. And a growing threat to this is the capabilities of botnets. Mostly they are used simply to generate spam and steal identities. But they could be used for cyberterrorism or cyberwarfare if directed against national utilities. So it is very much in the interest of governments to crack down on zombies.
Australia believes it has the answer: the ‘icode’, a new code of practice that states that both ISPs and consumers should share responsibility for using the internet. The idea is that all ISPs should sign up to the same practice – which would make ISP-hopping a pointless exercise for outraged customers. Without the fear of losing customers, individual ISPs can then be more proactive in tackling their zombie users; and competitor ISPs can not undercut them by ignoring the problem.
Is this the answer? I have to say, I don’t know. On the one hand I am very suspicious of all government interference. The danger is that things often start with the best intentions, but are then grown and tweaked and expanded by said governments until they become dangerous tools of authoritarian control (just consider how the UK’s anti-terror laws have actually been used). Australia is already one of the ‘free’ world’s first nations to introduce internet censorship…
But on the other hand, I genuinely believe people must take responsibility for their own actions. So if a user has a zombie and is harming other users through spam or infections, and that user is told by his ISP that he has this problem, then the user must take responsibility. And if failure to take responsibility means being cut off, so be it.
Consider the icode itself. It states:
Subject to their terms of service, actions that ISPs can take when they become aware of a compromised computer include:
(a) contacting the customer directly (by phone, email or SMS or other means);
(b) regenerating the customer’s account password to prompt customers to call the helpdesk so they can be directed to resources to assist;
(c) applying an ‘abuse’ plan where the customer’s Internet service is speed throttled;
(d) temporarily quarantining the customer’s service, for example by holding them within a ‘walled garden’ with links to relevant resources that will assist them until they are able to restore the security of their machine;
(e) in the case of spam sources, applying restrictions to outbound email (simple mail transfer protocol –SMTP); and/or
(f) such other measures as determined by the ISP consistent with their terms of service.
Government involvement in such capabilities is a dangerous thing. This is, so far, a voluntary code of practice. Will it remain so? I doubt it. Can we expect governments to stay at arm’s length? Almost certainly not. Is it a good thing? In concept today, I would say yes. In practice in the years to come, almost certainly not.