Remote-controlled "zombie" networks operated by bottom-feeding spammers have become a serious problem that requires more industry action, the Federal Trade Commission is expected to announce on Tuesday.

The FTC and more than 30 of its counterparts abroad are planning to contact Internet service providers and urge them to pay more attention to what their customers are doing online. Among the requests: identifying customers with suspicious e-mailing patterns, quarantining those computers and offering help in cleaning the zombie code off the hapless PCs.

To be sure, computers infected by zombie programs and used to churn out spam are a real threat to the future of e-mail. One report by security firm Sophos found that compromised PCs are responsible for 40 percent of the world's spam--and that number seems to be heading up, not down.

But government pressure--even well-intentioned--on Internet providers to monitor their users raises some important questions.

Will ISPs merely count the number of outbound e-mail messages, or actually peruse the content of e-mail correspondence? E-mail eavesdropping is limited by the Electronic Communications Privacy Act in the United States, but what about other countries without such laws? If these steps don't stop zombie-bots, will the government come back with formal requirements instead of mere suggestions the next time around?

The FTC said that its advice should not be alarming. "I think our recommendations are intended to provide flexibility by ISPs to implement them to the extent they can," Markus Heyder, an FTC legal adviser, said on Friday. "We have vetted them extensively with other partners and industry members."

Heyder said the commission plans to send letters to ISPs outlining the suggested antispam steps: "This is intended to provide a range of possible measures that can be taken if appropriate."

Sarah Deutsch, Verizon Communications' associate general counsel, said spam-fighting is "not an issue we're ignoring. It's something that we're extremely conscious of." Also, Deutsch said, "the ISP can help the customer but cannot be in the business of fixing their computer remotely. There are huge liability issues involved in that. What if we gave them some advice" that may not work?

Cordoning off "port 25"
The FTC also wants Internet providers to prevent e-mail from leaving their network unless it flows through their own internal servers. That makes spam zombies easier to catch. That technique is called blocking port 25, the port number used by the venerable Simple Mail Transport Protocol.

Many companies such as Microsoft's MSN and Comcast do this already. But port-25 blocking has some downsides: It harms the end-to-end nature of the Internet; you'll be forced to use potentially slow and unreliable servers at your ISP; and you may not be able to run your own mail server. (Pay attention, Linux and OS X aficionados who do this.)

In other words, there are both costs and benefits to port-25 blocking, and it's not clear that the federal government should be advising private companies which path to choose.

A final portion of the FTC's expected announcement on Tuesday involves hiring a contractor to identify spam zombies and contact the ISPs that are providing network connectivity. Michael Allison, chairman of ICG in Princeton, N.J., confirmed that his company has been hired and will start that process this month. (IGC offers Internet monitoring services and has been hired by large Internet providers in the past.)

But might that list of ISPs be made public? Dave McClure, president of the U.S. Internet Industry Association, is worried about ISPs being singled out for public criticism even though they're taking aggressive efforts to stamp out spam. "It's like walking up to a mugging victim and slapping them because they're contributing to crime," he said.

"The problem is not the ISPs," McClure said. "Granted, there are some ISPs that serve as hosts of spam. But ISPs generally are the victims, not the originators. The originators are zombie machines over which the ISPs have absolutely no control. If the FTC really wants to make progress in this area, they should be talking to countries in which the zombie servers exist and have those countries strengthen their own laws."

Tuesday's expected announcement represents the next step in a campaign by the FTC and government agencies abroad called "Operation Secure Your Server." In May 2003, they began contacting companies, universities and individuals whose insecure computers happened to be "open relays" used by spammers. The FTC broadened that effort in 2004.

It's one thing to identify open relays, but another to urge more aggressive e-mail monitoring. While the FTC's intentions may win applause in many quarters, government watchers also caution that a light touch will be important.

SOURCE