You know that spam prevention efforts have reached fever pitch when a spam
conference brings together lawyers, developers, economists, Eric Raymond
and a representative from Microsoft to discuss the problem and ways
to stop it. MIT hosted a conference on this topic on January 16, and we
check out the webcast to see what kind of work is being done in this area.
The answer is, there's quite a bit of work going on, and the future
looks much more encouraging than you might think.
Lawyers Jon Praed and Matthew Prince both spoke about spam from the legal
perspective. Praed discussed experiences in suing spammers. Interestingly,
Praed wasn't as negative about the recent CAN-SPAM Act as many in the
anti-spam community have been. Praed noted that legal solutions can often
do something that technical solutions alone have failed to do:
significantly drive up the cost of sending spam by requiring spammers to
deal with legal bills. He also said that 2003 was a banner year for legal
efforts against spam, because it brought the first arrests solely for
spamming. According to Praed, the CAN-SPAM Act is effective, in that it
makes it clear that spamming in and of itself is a crime.
Prince was less enthused with CAN-SPAM. Prince pointed out that 37 state
spam laws have been passed prior to CAN-SPAM; now all 37 are
pre-empted by federal law, which is weaker than most of the state
laws. But even the stronger state laws have
been largely ineffectual for stopping spam. He also noted that spam laws
were not based on the volume of spam, which is the problem we now face, but
were written to counter the problem of fraud in spam.
Prince did bring up the McCain amendment to CAN-SPAM for praise, and said
it had received almost no coverage. Essentially, the McCain amendment says
that when prosecutors are going after a spammer, they don't necessarily
have to go after the sender. It allows prosecutors to attach liability to
advertisers, which may be much more effective than having to go after the
Prince also said that we would have to remove anonymity of email to solve
the legal problem of spam. Washington has been the most successful because
its law includes a registry of
email addresses that are located in the state of Washington.
He said that it was necessary to
establish a national do-not-spam registry which would establish
jurisdiction to allow spammers to be sued and prosecuted.
Both Prince and Praed agreed that the important thing about legal solutions
is that they impose costs on spammers.
Yahoo's Miles Libbey talked
about trends in spam, as seen passing through Yahoo Mail. Like many other
speakers, Libbey saw a emerging emphasis on spammers trying to hide their
identity, and attempting to make messages more random to avoid filters. On
a scary note, Libbey said that Yahoo! had found that spammers had reacted
to their anti-spam filters within a space of two hours.
Another presentation focused on finding economic means to deal with
spam. Thede Loder, Marshall Van Alstyne, and Rick Wash outlined the
Attention Bond Mechanism (ABM) where senders would have to put up a "bond"
where users could charge the sender a sum of money for unwanted messages or
release the money if the message was wanted.
Assuming a working model could be found and implemented, they say this
would be of benefit to users and marketers. According to Loder, Van Alstyne
and Wash, it could be cheaper than direct mail, while giving the recipient
an incentive not to block the email automatically. Either the message would
be of benefit to the user, or the user could reap a small financial gain by
accepting the message. Most importantly, this model would return the
control of a user's inbox to the user where it belongs and shift the burden
Along the same lines, Eric Johansson of CAMRAM talked about a hybrid system that
would add a money-free sender-pays type of system incrementally to
email. Instead of being a money-based system, the stamp creation would be
time-based. That is to say, that each "stamped" email would contain a
22-bit or 23-bit stamp that costs a given amount of time to
generate. Adding that amount of time to generate each email would be
somewhat prohibitive for spammers, as spammers need to send email in volume
to make money.
Of course, there were also many discussions of technical means to filter
and block spam. William Yerazunis spoke about ways to go beyond the
accuracy of Bayesian and Markovian spam filtering. One interesting note
from Yerazunis' talk is that he noted that some spammers are getting
desperate enough to actually sign up for "well-credentialed" email lists in
an effort to penetrate those lists and send spam to the mailing list
members. He also noted that the "Habeas
Haiku" method of whitelisting mail has actually become an
indicator of spam rather than an indicator that the email is clean,
as spammers have been brazenly using the Haikus in their spam.
Marty Lamb spoke about Martian Software's TarProxy, or "creating
pain for spammers." TarProxy is a method for throttling connections between
the spammer and an SMTP server by slowing the rate at which a spammer can
send spam, and thereby make it more costly. It also would cause headaches
for administrators of open relays, with the eventual goal of forcing them
to fix the configuration of their server.
Jonathan Zdziarski managed to present two topics in the allotted 20 minute
space. Zdziarski spoke about using "chained tokens" to provide more
information when filtering spam, rather than using a single word as a
token. The "chained token" technique basically works on the concept that it
is easier and less risky to identify spam by multiple words or tokens
rather than a single word or token. Tokens can include mail headers, HTML
fragments and other bits of an e-mail. A white paper discussing the
technique can be found on the DSPAM website in
Zdziarski is also working with Bill Yerazunis on an RFC for MIME
Encoding for message inoculation, create a message format that allows
different spam filters on different servers to share inoculation
John Graham-Cumming taped his
presentation beforehand. Instead of discussing how to block spam,
Graham-Cumming's presentation focused on how spammers could beat spam
filters by using filters like POPFile to detect "good" words to get through
a spam filter. Graham-Cumming predicts that spammers will continue to react
to adaptive filtering, and said that it would be possible for a spammer to
insert "web bugs" into spam to help train filters to see which messages are
delivered and which are not. Graham-Cumming said that it would be necessary
to choke off feedback to spammers, such as bounces and SMTP error messages,
to prevent adaptive filtering to work against spam filtering.
Eric Raymond was also on hand at the conference, and spoke about several
topics. One topic Raymond discussed is a provision in the CAN-SPAM Act that
requires the Department of Commerce to consult with the IETF on
spam-labeling standards. While the CAN-SPAM Act directs the department to
consult with the IETF on this issue, the IETF does not have any labeling
standards at the moment. Raymond says he is working on a draft RFC that
could "pass constitutional muster" that could be used.
Raymond also discussed Sender Permitted
From (SPF). SPF allows a server to query whether something is a valid
IP address, and to set policies based on that information. To use SPF, you
add information to DNS that informs the world which IP addresses are valid
for sending e-mail from your domain. When spammers attempt to spoof "from"
headers and so on, a server using SPF can check to see whether or not the
IP addresses match the valid IP addresses listed in DNS records.
Raymond admitted that there are compatibility problems with SPF. For
example, SPF breaks forwarding and causes problems for roving users who
need to send mail from different IP addresses. He noted that no one
technology for stopping spam is perfect, but several tactics can work
together as a "drug cocktail" to help end the spam problem.
For those interested in attending an anti-spam conference before MIT's 2005
conference, several speakers plugged the First Conference on Email and Anti-Spam
(CEAS), which is scheduled for July 30 and 31 in Mountain View,
California. For those working on anti-spam technologies or in related
areas, there is a call for papers
with a deadline of April 16.
The full presentations from the MIT conference are available in RealPlayer
format at the Spam
to post comments)