washingtonpost.com  > Technology > Special Reports > Google

Google Aims For ISP White Lists

By David McGuire
washingtonpost.com Staff Writer
Monday, August 9, 2004; 6:47 AM

Tucked away in an unpublicized corner of Morgan Stanley's Web site is the most obvious sign yet that Internet search engine company Google Inc. is just about ready to rock the financial world with its much-anticipated initial public offering.

In an online posting dated August 2, the New York-based investment banking firm warns Internet service providers that "a large volume" of e-mail messages will be distributed "shortly" from "information@ipo.google.com." Morgan Stanley asks ISPs to insure that none of the technology they use to weed out spam will inadvertently block these messages from getting to people who signed up to receive more information on the Google IPO.

_____Live Discussion_____
Today, Noon ET: Yale School of Management professor Barry Nalebuff discusses his Sunday Outlook piece about why investors would be better off avoiding the Google's initial IPO auction.
_____Google In The News_____
Google Sets Deadline to Register for IPO Auction (The Washington Post, Aug 11, 2004)
Google to Close Bid Registration Thursday (Reuters, Aug 10, 2004)
Google Ends Its Dispute With Yahoo (The Washington Post, Aug 10, 2004)
Complete Coverage: Google
_____Free E-mail Newsletters_____
• TechNews Daily Report
• Tech Policy/Security Weekly
• Personal Tech
• News Headlines
• News Alert

"We want to take every precaution to avoid blocking or tagging of such emails as spam, since these emails are essential for participation and completion of the transaction," the message reads. "Certain commonly used [anti-spam techniques] or refusing to accept a given email until a retry occurs, will impair your users' ability to participate in this transaction."

A source who works for a major ISP said Google alerted ISPs to the Morgan Stanley site by posting a link on a private online discussion group used by major providers. The source asked to remain anonymous because the existence of the list is not widely publicized.

The Morgan Stanley posting is a decidedly low-tech way to make sure spam filters don't block information about one of the hottest initial stock offerings to hit Wall Street since the fabled go-go days of the dot-com boom. But experts say legitimate bulk e-mail senders have few options other than to provide details about their e-mail plans in advance.

"In today's screwed up e-mail environment, it's pretty much mandatory," said John Levine, co-chair of the Internet Engineering Task Force's anti-spam working group. "What's different here is that there's going to be a whole lot of mail from a corner of Google that's never sent e-mail before."

In most initial public offerings, companies parcel their stock out to a handful of investment houses and initial investors who then sell shares to other investors. Google is using a different process in which thousands of individuals can submit bids in advance of the offering. Because the public is directly involved, Google must send details of the offering to a much larger group of people than is usually involved in an IPO, said Scott Sutherland, vice president of equity research at Los Angeles-based Wedbush Morgan Securities.

The posting on the Morgan Stanley Web site makes clear that Google will be using e-mail to distribute its IPO details. If ISPs block the Google e-mail messages, Levine said, it could put many investors far behind the curve when the stock debuts.

Spam filters are one of the most popular tools that ISPs, corporations and home users can use to block unwanted commercial pitches. But they are unwieldy tools. The Direct Marketing Association estimates that up to 25 percent of its members' legitimate e-mail is erroneously trapped in spam filters.

DMA apokesman Jordan Cohen said filters block not only marketing messages but also important transaction information like receipts. "There are people that order a plane ticket online and they'll never get their confirmation e-mail online," he said.

Another popular solution that ISPs use to make sure that legitimate e-mail gets through is to maintain lists of both spammers and trusted e-mail senders. "Black lists" contain Internet domain names that the ISPs know produce lots of spam messages, while "white lists" contain domain names that the ISPs are sure they can trust as sources for legitimate e-mail.

The notice on Morgan Stanley's Web site provides a list of Internet address sources that Google asked ISPs to place on their white lists. Representatives from some of the largest ISPs said that they appreciate the fact that Google alerted them.

"We wish more people took proactive steps like Google did to make receivers and deliverers of e-mail aware that large numbers of bulk e-mail will be emanating from IP ranges that may not be identified as legitimate," said America Online spokesman Nicholas Graham.

Graham said that AOL technicians read the notice and have taken steps to make sure that Google's messages get through to its members.

Google also notified Yahoo about the mailing, and Yahoo plans to make sure the messages are delivered, according to Yahoo spokeswoman Terrell Karlsten.

Kevin Doerr, group business manager for Microsoft Corp.'s MSN Hotmail, said that the company is working with Google "as we work with numerous legitimate bulk mail senders worldwide," and that "following best industry practices should ensure smooth delivery of their mail."

Google and Morgan Stanley officials declined to comment on the situation, citing the quiet period mandated by the U.S. Securities and Exchange Commission that companies and their underwriters must adhere to leading up to the stock offering date. Financial analysts have placed the IPO date any time from mid-August until later this fall.

Ray Everett-Church, counsel for the Coalition Against Unsolicited Commercial Email, said that the Morgan Stanley online posting is a clever workaround, but he said it also highlights the need for a better solution to blocking spam.

"This kind of low-tech solution is exhibit 'A' for why you need an automated process for identification and authentication of legitimate e-mail," Everett-Church said. A key Internet standards-setting body is working on developing an e-mail authentication proposal and the Federal Trade Commission plans to hold an authentication summit this fall.

Sign of the Phish

One worry that some Internet fraud experts have is that publicly disclosing the Internet addresses that will send the Google mail could allow online criminals to mount "phishing" scams.

In a typical phishing scam, a con artist sends out what looks like an official e-mail message from a respected financial institution or retailer warning recipients that their accounts have lapsed. Victims are prompted to click on a link, that takes them to an official-looking Web site, where they're often duped into handing over sensitive personal and financial data to the thief.

The IPO message could be a gold mine for scammers who want to take advantage of Google investors, said David Jevans, chairman of the Anti-Phishing Working Group, a coalition of banks, Internet service providers and other companies whose customers are targeted by phishing scams. "Now they [phishers] know who's going to send it, what it's going to look like, where it's going take them. Bad people can always use information if they know in advance."

While ISPs may know to focus on the difficult-to-forge IP numbers, Jevans said, individual investors won't, and that would allow phishers to create a convincing scam message with the information on the page.

John Levine of the Internet Engineering Task Force said the most useful information in the message is the list of official IP numbers that will be associated with the Google alerts. Unlike the "subject" and "from" lines of e-mail addresses, IP numbers are very difficult to forge.

"My guess is that the ISPs are just going to add those IP numbers to their 'white list,' which unless somebody hacks Morgan Stanley, it's pretty safe," he said.

Phishing victims lost $1.2 billion to identity theft-related fraud between April 2003 and April 2004 and were three times more likely than the average American to have their identities stolen, according to an online survey of 5,000 people conducted in May by Stamford, Conn.-based firm Gartner Research. The Anti-Phishing Working Group recorded 1,197 unique phishing scams in May. Each individual scam can be associated with thousands of e-mail messages.

© 2004 TechNews.com