Major changes required to ISP Spam Code

More substantial recommendations for amendment than expected

Late submissions to the proposed anti-spam code for ISPs are asking for substantial changes.

InternetNZ, the Telecommunications Carriers Forum and the Marketing Association have received more substantial recommendations for amendment than they were expecting in the extra week they allowed for public submissions (Computerworld, June 25). InternetNZ spokesman Richard Wood said last week only minor suggestions for amendment were expected.

The final total of submissions is five, including a long one from Neil Sherratt, who expressed his views on the need for stronger enforcement of the code in Computerworld last week (June 25, Page 10). Sherratt is chief executive of Bizibox and helped develop the IQ Confidential secure email and collaboration system.

Sherratt has extensively edited the draft text of the code, inserting a provision that “Service Providers will be monitored and audited for compliance with this Code of Practice”. Without a requirement or strong encouragement to comply, he pointed out last week, individual ISPs can simply ignore the code.

Elsewhere he has inserted the word “proactive” and phrases containing it in a number of places to strengthen the requirements placed on service providers. Sherratt’s version, for example, says: “Service providers must demonstrate proactive measures taken to inform customers that service providers must comply with the Act and otherwise not engage in practices which would result in a breach of the Act” to replace the original draft’s weaker and differently focused provision.

Sherratt also inserts repeated references to “alternative email systems” which aim to avoid the weaknesses of the ageing SMTP protocol. Email systems that “bypass all internet mechanisms that deliver spam” are available, his amendment says and ISPs must advise customers of the existence of such systems and point them to appropriate sources.

“Reasonable steps” to be taken by ISPs to avoid forwarding spam, Sherratt writes, should include:

“(a) Identification of the sender of all SMTP emails — matching their identity via password protection before emails can be received by the Service Provider.

“(b) Authentication of emails by matching the ‘sender’ field against the identity and password supplied to log on to the Service Provider email gateway.

“(c) Elimination of all emails where the sender is unidentifiable by the above two mechanisms.”

Sherratt and other authors of submissions advise inclusion of provisions on botnets, not specifically mentioned in the original draft. “I’d like to see an ISP code of practice that required ISPs to help their customers clean up their PCs when they become infected, or else face disconnection from the internet — not just when the infection creates an open relay or open proxy as provided [in the current draft],” says submitter Mark Cranness.

The Department of Internal Affairs, which will be the enforcement agency for the anti-spam law, recommends an extension to the time for which ISPs are required to keep information on users’ IP addresses, so as to facilitate investigation of spamming.

The DIA also considers that sanctions on ISPs for breaches of the code might offer valuable assurance to users. It suggests the sanctions issue be reconsidered at the first review of the code.

Join the newsletter!

Error: Please check your email address.

Tags spamISPSecurity IDcode of practice

Show Comments
[]