The Hong Kong Internet Service Providers Association issued an Anti-Spam Code of Practice in June 2005. Widely unreported, this is, in fact, the second version of this Code. However, unlike the previous version, this has resulted in positive action: at least one ISP (namely, Pacific Internet) has sent a letter to its customers stating that it will carry out a series of security measures to comply with the Code.
Version one of the Code, published February 2000, received significant press coverage, but there was no evidence of any action. In fact, although the Code stated that a list of compliant ISPs would be posted on the HKISP website, the list was never published, and there was no response to repeated requests for the list. Version 2 also includes provision for:
“A web site run by the HKISPA showing this Code of Practice and the parties that are in compliance.”
But, to date, there is no sign of the list.
The Code includes these technical measures:
- Mail servers shall not be allowed to relay mail from third parties.
- There shall be a restriction on the amount of outgoing mail provided for web e-mail and pre-paid accounts.
- All clients using switched access shall not have outgoing TCP access to the Internet on port 25 (SMTP). An SMTP server shall be provided by such accounts; if possible the users outgoing SMTP connection will automatically be redirected to such server.
The first two are “no-brainers”, the third uses the term “switched access”, possibly using the term in the telecoms industry sense of an occasionally connected circuit. However, the wording used in the ISPA’s Implementation Guidelines is “switched dialup access”, is this an intentional change, indicative of a change in the Code? On the one hand, nowadays restricting port 25 access for dialup connections is fairly irrelevant – most spam is sent via zombies on broadband connections, so extending the coverage to other connections is sensible. On the other hand, is restricting port 25 access an unfair limit on competition? Will ISPs coerce users into using their mail servers for their domains on the pretence of “security”? A reasonable solution that allows competition without compromising security is to block port 25 by default, but to open it, at no charge, on a signed request from the customer. The ISPs can then contribute to the fight against spam by blocking spam from the machines most likely to be zombie-infected, while allowing customers who can take responsibility for their systems the freedom of choice.