ARCHIVED—4. Restoring Confidence in Email

Stopping Spam: Creating a Stronger, Safer Internet
Report of the Task Force on Spam
May 2005

---

The Challenge

Before the establishment of the Task Force on Spam, most Canadian initiatives aimed at controlling the growing volume of unsolicited commercial email focused on a combination of filtering technologies and the use of "black lists" of servers and domains that have been identified as sources of spam. As these spam-control services have become more and more sophisticated, so have the tactics used by spammers to bypass them.

The diverse types of spam-filtering and blocking tools used by ISPs and other network operators – and the resulting cyclical battles between spammers and spam blockers – produced some unwanted results. Legitimate commercial email communications, as well as legitimate noncommercial and personal email communications, are now often blocked by filters, sometimes without the knowledge of either the senders or the intended recipients. These filtering techniques and practices, though well intended, have inadvertently contributed to undermining consumer confidence in the reliability of email.

For this reason, a number of commercial organizations are now considering moving their email services to closed networks, which would undermine the Internet as a platform for commerce. While the motivation for considering this solution is understandable, a migration of commercial activity away from the public Internet and toward closed networks could have undesirable consequences.

Less drastic alternatives to closed networks are beginning to emerge in the form of techniques that shift the focus away from blocking unwanted communications toward facilitating the movement of legitimate commercial email. Although these techniques impose costs on the senders of commercial email and on the owners and managers of network facilities, it is possible that these costs may be offset by the following benefits that could result for different stakeholders:

• for commercial email senders, the value of improved deliverability;
• for service providers, reduced costs in managing email service and customer preferences;
• for email users, more effective tools to manage their email.

Certification is one of the techniques emerging for improving deliverability. At minimum, a certification regime should require verifiable identification of both the sender and the nature of the communication. To be fully effective, it should also include performance-measurement tools and appropriate sanctions for certificate holders that do not abide by the rules.

In addition to certification tools, techniques are becoming available to facilitate the movement of legitimate email by authenticating sending and receiving sites. However, these techniques do not necessarily protect recipients against false, misleading or fraudulent emails sent from authentic sites.

Like the other parts of the anti-spam toolkit, established techniques, such as black lists and filtering, and emerging techniques, such as certification and authentication, are not silver bullets that will solve all deliverability problems. In addition to these technical solutions, there are a range of business practices that can be used by commercial emailers to reduce the incidence of spam and spam-related threats to the Internet. The overall challenge facing the commercial email business community is to identify and implement a winning combination of sound business practices and effective technical solutions.

Task Force Actions

The initial aim of the Task Force was to bring together, for the first time, a diverse group of stakeholders to discuss the challenges spam poses for legitimate emailers and address ways to improve the deliverability of legitimate email.

In addition to the technical tools described in the previous section, there are a number of business practices that can help combat spam and improve the deliverability of legitimate email. The Task Force, therefore, decided to devote a significant part of its efforts to the development of a code of best practices for emailers. The code would include both operational and technical measures that emailers could take to improve the deliverability of their messages.

The Task Force concluded that the Internet Engineering Task Force and its working groups were doing an effective job of managing and directing the development of authentication techniques. Therefore, we decided to concentrate our technical efforts on exploring email-certification techniques, raising awareness of their potential role in improving email deliverability and promoting discussion among industry segments.

Recommended Best Practices for Email Marketing

The code of recommended best practices for commercial emailers developed by the Task Force reflects the provisions of two policy frameworks – one legal and one self-regulatory – already in place in Canada:

• PIPEDA, which came into full force throughout Canada in January 2004, establishes the obligations of those who collect, store and use electronic-mail addresses, which are considered personal information.
• The Canadian Marketing Association has had a mandatory industry code for a number of years. Organizations that conduct online surveys (i.e. members of the Canadian Survey Research Council) are now also in the process of developing a uniform code of practice.

On this basis, and taking into account codes of practice that have been developed in other jurisdictions (e.g. by the U.S.-based Anti-Spam Technical Alliance), the Task Force finalized a series of recommended best practices that will encourage Canadian commercial emailers to adopt spam-free marketing and other spam-free business techniques, and make it clear that spam has no place in Canadian e-commerce.

The full text of these recommended best practices is presented in Appendix C. Box 4: Recommended Best Practices for Email Marketing presents the highlights of these best practices.

Deliverability of Commercial Email

There is currently significant evidence but a lack of statistics as to the extent to which legitimate commercial email is being blocked by spam-filtering programs and services – a process that creates what are known as "false positives" (i.e. blocked messages that are not really spam). A recent study by the firm Return Path determined that 22 percent of permission-based commercial email in the United States did not reach its intended recipients in 2004.

False positives are a problem, not only because they undermine the effectiveness of email as a marketing tool for businesses, but also because they cause difficulties for end-users, who are increasingly relying on the deliverability of the email they send and receive from associate sources, be they professional (e.g. business colleagues), commercial (e.g. as a result of marketing and online purchases the user has requested) or personal (e.g. private correspondence).

Marketing firms and others are increasingly using outsourced deliverability firms to better their returns on investments, or hiring full-time personnel to deal with these issues.

The publishing by ISPs of clear policies and procedures for inbound email, as well as their providing points of contact, would also serve to improve the deliverability of legitimate email.

Several of the largest receiving sites – AOL®, MSN® Hotmail and Yahoo!® – have all published policies and procedures outlining the requirements for legitimate emailers who want to be white-listed. How much this status circumvents inbound-spam filtering naturally varies between sites.

Email Certification

Several technical methods are currently used to fight spam. However, some of these methods may not always be able to distinguish between legitimate email and spam. For example, some spam filters block bulk mailings of legitimate emails simply because they look similar in nature to spam. Others analyze the content of email messages in order to decide whether or not to filter them, using keywords that can appear in legitimate email as well as in spam. To complicate matters further, spammers often design their emails to look like legitimate email, and also use other techniques to trick filters.

As mentioned in the "Challenge" section of this chapter, email certification is emerging as a method that could be used to help spam filters allow legitimate email through to its intended recipients. It could also allow verifiable determination between legitimate and phishing emails.

Working in cooperation with the ICT Standards Advisory Council of Canada, the Task Force on Spam explored the principles, business models and techniques that characterize the different certification methods currently available in the Canadian marketplace, in order to develop a reference paper that captures the results of this analysis and examines options for implementing an email certification regime in Canada.

Recommendations

Commercial emailers have the most to lose and the most to gain in the battle to stop spam. Of the various stakeholder groups involved in the fight against spam, commercial emailers also face the greatest challenges in organizing themselves to take concerted action against spammers and to play their part in implementing the toolkit approach.

A number of distinctly different kinds of organizations make up the commercial-emailers stakeholders group, including:

• companies that commission bulk commercial email in order to market their products and services;
• companies that engage in email marketing;
• companies that design and manage marketing campaigns;
• commercial-email service providers; and
• companies that supply lists of email addresses.

In some cases, the companies that provide these different kinds of products and services are vertically integrated across different segments of the commercial-email supply chain. In other cases, they are independent of each other and operate on the basis of contractual arrangements.

The majority of companies that make up the diverse population of the email stakeholder group operate according to existing laws and in conformity with generally accepted business practices. As the PIPEDA cases demonstrated, these companies are usually quick to make amends if they are found to be engaging in activities or practices that contravene these standards.

Unfortunately, each segment of the email supply chain contains spammers – companies and individuals that deliberately contravene the laws that currently prohibit sending unsolicited commercial email, or that use email as a cover for activities that are intended to deceive, cause harm to computers and network facilities, steal personal information and commit fraud.

To stop spam, it is necessary to stop spammers. If this is not done, there is a risk that Canadians will lose confidence in the Internet – not just as a vehicle for marketing and promoting products and services, but also as a method of effective communication. A general loss of confidence in email would, in turn, severely inhibit the emergence of an e-economy in Canada, and would undermine the interests of the many businesses, organizations, institutions and governments involved in the professional email supply chain.

We therefore recommend the following:

Recommendation 12:

Commercial email marketers should implement the best business practices recommended by the Task Force on Spam and should, in cooperation with the coordination body established by the Minister of Industry, monitor the effectiveness of these practices on an ongoing basis.

Recommendation 13:

Canadian industry, in coordination with international standards-development organizations, should continue to investigate various certification methodologies and their associated costs to determine which, if any, would provide the most suitable certification regime for Canada.

Recommendation 14:

To help determine the extent of the problem of non-deliverability of legitimate email in Canada, the coordination body established by the Minister of Industry should, with the help of appropriate stakeholders, formally study this issue on an ongoing basis.