In a sign of how desperate companies have become to stem the flow of spam, managers at AT&T were about to implement a policy that would block all e-mails to its employees not sent from a trusted group of computers. In a memo this week, AT&T asked its major business clients and some Internet service providers to turn over the Internet addresses of their e-mail systems. After resistance, it halted plans to create a so-called e-mail “white list.”
“WhatAT&T is asking is for you to help AT&T to restrict incoming mail to just our known and trusted sources (e.g., business partners, clients and customers),” read the Oct. 21 memo, sent by AT&T network managers and obtained by MSNBC.com.
The plan would have created a white list — a database of known and trusted computers, identified by their Internet Protocol (IP) numbers, which are assigned to every computer online. E-mail servers can be reprogrammed to accept incoming mail only from white-listed servers. Anyone who tried to send mail from a server not included on the list would have it kicked back.
“We need to know which IP address(es) are used by your outbound e-mail service so we can selectively permit them,” said the memo, an apparent follow-up to an earlier request for IP addresses. It also noted AT&T had “received many concerned responses” about its plan.
The request “was drafted but may have been sent out prematurely,” said AT&T spokesman Gary Morgenstern.
It was not clear how many companies received it, and AT&T said only that it was intended for limited distribution, though it acknowledged the note was sent to major business customers and other major Internet providers. At least two major providers, AOL and MSN, said they had not received AT&T’s request.
Morgenstern said the company saw a significant jump in junk e-mail this week and considered several options to stem the flow. The white list was “one of the ways we were looking at combating it,” Morgenstern said. He said it would only have impacted e-mails sent to the att.com domain, which serves AT&T’s corporate offices.
‘Would be insane'
Many system administrators use e-mail “black lists,” compilations of online addresses known to originate junk e-mail. Mail servers can be programmed to reject any mail from any blacklisted computer. White lists attempt the opposite, rejecting everything not sent from a trusted address.
Though white lists have been attempted in the past, they are rarely implemented with success. Because it creates a closed system for e-mail exchanges, Internet standards experts note the process essentially breaks down the methods by which e-mail is transmitted.
Because server IP addresses can change or be sold, for instance, white lists would require continuous updates. And users on a white-listed system are almost certain to lose e-mail from people whose Internet providers aren’t on the list.
“That would be insane,” said Paul Hoffman, director of the Internet Mail Consortium, a nonprofit body that helps develop and set e-mail protocols. “People have tried this before and basically it’s a losing proposition.”
The AT&T request also raised hackles among Internet engineers because it circumvented the normal process for contacting mail administrators.
‘Whois’ concerns
Rather than sending mail to a standard “postmaster” address at each site — which is immediately routed to whoever runs its mail servers — the note was sent to the administrative contacts listed in Internet records for each company’s domain name. This method, which draws names from a process known as a WHOIS lookup, is often imprecise and has at times been used by spammers looking to mass-mail Web site owners.
“We have assembled the distribution list for this e-mail by looking up the administrative contacts for each of the known e-mail domains we currently exchange e-mail with, referencing WHOIS and other such services available via the Internet,” said the AT&T memo.
AT&T said it was contacting customers Wednesday to tell them to disregard the original messages.
One of the world’s largest Internet providers, AT&T’s online networks reach into some 50 countries and make up large portions of the Internet backbone. Its Worldnet service is one of the largest Internet providers in the United States.
Though the company said it had no plan to implement the current white list, Morgenstern said it was possible they might revisit the idea as a spam-fighting method. “I’m not going to rule it out in the future. Maybe they’ll determine it’s the best way to do it,” he said. “I don’t know what action we’ll take at this point.”
On the other hand, he said, “I think the people that sent that mail may have learned their lesson.”
He would not say whether they had been reprimanded.