The MIT 2004 Spam Conference

Lawyers Jon Praed and Matthew Prince both spoke about spam from the legal perspective. Praed discussed experiences in suing spammers. Interestingly, Praed wasn't as negative about the recent CAN-SPAM Act as many in the anti-spam community have been. Praed noted that legal solutions can often do something that technical solutions alone have failed to do: significantly drive up the cost of sending spam by requiring spammers to deal with legal bills. He also said that 2003 was a banner year for legal efforts against spam, because it brought the first arrests solely for spamming. According to Praed, the CAN-SPAM Act is effective, in that it makes it clear that spamming in and of itself is a crime.

Prince was less enthused with CAN-SPAM. Prince pointed out that 37 state spam laws have been passed prior to CAN-SPAM; now all 37 are pre-empted by federal law, which is weaker than most of the state laws. But even the stronger state laws have been largely ineffectual for stopping spam. He also noted that spam laws were not based on the volume of spam, which is the problem we now face, but were written to counter the problem of fraud in spam.

Prince did bring up the McCain amendment to CAN-SPAM for praise, and said it had received almost no coverage. Essentially, the McCain amendment says that when prosecutors are going after a spammer, they don't necessarily have to go after the sender. It allows prosecutors to attach liability to advertisers, which may be much more effective than having to go after the spammer.

Prince also said that we would have to remove anonymity of email to solve the legal problem of spam. Washington has been the most successful because its law includes a registry of email addresses that are located in the state of Washington. He said that it was necessary to establish a national do-not-spam registry which would establish jurisdiction to allow spammers to be sued and prosecuted.

Both Prince and Praed agreed that the important thing about legal solutions is that they impose costs on spammers.

Yahoo's Miles Libbey talked about trends in spam, as seen passing through Yahoo Mail. Like many other speakers, Libbey saw a emerging emphasis on spammers trying to hide their identity, and attempting to make messages more random to avoid filters. On a scary note, Libbey said that Yahoo! had found that spammers had reacted to their anti-spam filters within a space of two hours.

Another presentation focused on finding economic means to deal with spam. Thede Loder, Marshall Van Alstyne, and Rick Wash outlined the Attention Bond Mechanism (ABM) where senders would have to put up a "bond" where users could charge the sender a sum of money for unwanted messages or release the money if the message was wanted.

Assuming a working model could be found and implemented, they say this would be of benefit to users and marketers. According to Loder, Van Alstyne and Wash, it could be cheaper than direct mail, while giving the recipient an incentive not to block the email automatically. Either the message would be of benefit to the user, or the user could reap a small financial gain by accepting the message. Most importantly, this model would return the control of a user's inbox to the user where it belongs and shift the burden to marketers.

Along the same lines, Eric Johansson of CAMRAM talked about a hybrid system that would add a money-free sender-pays type of system incrementally to email. Instead of being a money-based system, the stamp creation would be time-based. That is to say, that each "stamped" email would contain a 22-bit or 23-bit stamp that costs a given amount of time to generate. Adding that amount of time to generate each email would be somewhat prohibitive for spammers, as spammers need to send email in volume to make money.

Of course, there were also many discussions of technical means to filter and block spam. William Yerazunis spoke about ways to go beyond the accuracy of Bayesian and Markovian spam filtering. One interesting note from Yerazunis' talk is that he noted that some spammers are getting desperate enough to actually sign up for "well-credentialed" email lists in an effort to penetrate those lists and send spam to the mailing list members. He also noted that the "Habeas Haiku" method of whitelisting mail has actually become an indicator of spam rather than an indicator that the email is clean, as spammers have been brazenly using the Haikus in their spam.

Marty Lamb spoke about Martian Software's TarProxy, or "creating pain for spammers." TarProxy is a method for throttling connections between the spammer and an SMTP server by slowing the rate at which a spammer can send spam, and thereby make it more costly. It also would cause headaches for administrators of open relays, with the eventual goal of forcing them to fix the configuration of their server.

Jonathan Zdziarski managed to present two topics in the allotted 20 minute space. Zdziarski spoke about using "chained tokens" to provide more information when filtering spam, rather than using a single word as a token. The "chained token" technique basically works on the concept that it is easier and less risky to identify spam by multiple words or tokens rather than a single word or token. Tokens can include mail headers, HTML fragments and other bits of an e-mail. A white paper discussing the technique can be found on the DSPAM website in PDF.

Zdziarski is also working with Bill Yerazunis on an RFC for MIME Encoding for message inoculation, create a message format that allows different spam filters on different servers to share inoculation information.

John Graham-Cumming taped his presentation beforehand. Instead of discussing how to block spam, Graham-Cumming's presentation focused on how spammers could beat spam filters by using filters like POPFile to detect "good" words to get through a spam filter. Graham-Cumming predicts that spammers will continue to react to adaptive filtering, and said that it would be possible for a spammer to insert "web bugs" into spam to help train filters to see which messages are delivered and which are not. Graham-Cumming said that it would be necessary to choke off feedback to spammers, such as bounces and SMTP error messages, to prevent adaptive filtering to work against spam filtering.

Eric Raymond was also on hand at the conference, and spoke about several topics. One topic Raymond discussed is a provision in the CAN-SPAM Act that requires the Department of Commerce to consult with the IETF on spam-labeling standards. While the CAN-SPAM Act directs the department to consult with the IETF on this issue, the IETF does not have any labeling standards at the moment. Raymond says he is working on a draft RFC that could "pass constitutional muster" that could be used.

Raymond also discussed Sender Permitted From (SPF). SPF allows a server to query whether something is a valid IP address, and to set policies based on that information. To use SPF, you add information to DNS that informs the world which IP addresses are valid for sending e-mail from your domain. When spammers attempt to spoof "from" headers and so on, a server using SPF can check to see whether or not the IP addresses match the valid IP addresses listed in DNS records.

Raymond admitted that there are compatibility problems with SPF. For example, SPF breaks forwarding and causes problems for roving users who need to send mail from different IP addresses. He noted that no one technology for stopping spam is perfect, but several tactics can work together as a "drug cocktail" to help end the spam problem.

For those interested in attending an anti-spam conference before MIT's 2005 conference, several speakers plugged the First Conference on Email and Anti-Spam (CEAS), which is scheduled for July 30 and 31 in Mountain View, California. For those working on anti-spam technologies or in related areas, there is a call for papers with a deadline of April 16.

The full presentations from the MIT conference are available in RealPlayer format at the Spam Conference website.