ietf-asrg
[Top] [All Lists]

[Asrg] ASRG meeting minutes

2003-04-02 13:27:57

Below are the minutes of the meeting. Thanks to Russell Brand for
volunteering to capture the minutes. If there are any corrections needed
before this is sent to be included in the proceedings, please provide them
by Thursday April 3rd.

________________________________________________
Anti Spam Research Group (ASRG) Meeting 
March 20, 2003
9:00 am

Recorded by: Russell Brand

The first meeting of the IETF Anti Spam Research Group (APRG) was held in
San Francisco on Thursday, March 20, 2003.  Approximately 200 people
attended.  

Paul Judge chaired the meeting.

The meeting consisted of a set of prepared talks with questions from the
floor.  There were four sets of talks:

    * charter review 

    * background

    * progress reports

    * technical solutions


Charter Review
==============
Paul Judge, ASRG Chair

ASRG was formed to UNDERSTAND the problem and collectively PROPOSE and
EVALUATE solutions to allow "consent based communication."


Laws and economics are part of the environment that our systems must work
in.  Addressing public policy changes are outside of our charter. We are
technical research but cannot be blind to the legal environment and
constraints.

Evaluation for USEFULNESS should include usefulness over time, since some
solutions that worked when first introduced first years ago, no longer are
effective. As part of our charter, we are looking for long term solutions so
that we are no longer playing this "cat and mouse game."


Background Presentations 
========================

Problem Scale
-------------
Steve Atkins, SpamCon

   http://word-to-wise.com
   http://spamcon.org

Steve Atkins of SpamCon presented a set of statistics suggesting that SPAM
was getting worse at a rate of 9-fold a year; much faster than moore's law.


He says that AOL is blocking about a billion piece of spam a day and if the
exponential growth of spam continues without some massive improvement in
spam blocking, we would each receive about 140,000 pieces of spam per day.

Atkins reports:

- a 20% *MONTHLY* growth in spam.

- that about $650,000,000 spent on antispam products this year.
  (estimated 4 times that for next year) [Just product costs; burdened
  personnel costs are much greater.]

- according to a British study, $730/year lost productivity per
  employee to which is a little bit more than absenteeism.

- $8,900,000,000/year total cost to corporations.

- Estimated cost per employee is $1-$2 for each piece of spam that  makes it
through the filters.

- Abuse compliants and terminations of a spammer, cost $2,000 to
  $10,0000 per shutdown.

Various members of the group offered that they had more reliable statistics
as to the scope and growth of the problem and the chair invited them to
share these statistics with the group.  

Among them, Brightmail with Gartner group has published careful statistics
going back several years.


It is often hard for an ISP to shutdown a spammer even if they want to. The
legal/contract actions can be very slow because of badly written contracts,
or section of contracts that the sales reps crossed-out.

From the floor, it was pointed out that Spammers can sometimes get
injunctions to allow them to stay connected.

While the precentage of replies to spam is tiny the absolute numbers are
enough to generate millions and millions of dollars of profit. Typical
response rates might be one in ten thousand with a profit of 50 dollars from
that respondent.






National Association of Advertisers Email Service Provider Coalition
--------------------------------------------------------------------

Hans Peter Brondmo, Digital Impact

Hans Peter Brondmo presented the position of the National Advertisers
Initiative Email Service Provider Coalition (NAI/ESP).  They feel that they
are being tarred with the same brush as the spammers.  The members of his
organization feel that they are sending advertising and other information to
people that have given permission to receive it.

His organization objects to their mail (perhaps unintentionally) being
blocked by the mechanisms that are used to stop the spammers.

His organization calls for greater transparency from both the senders and
the recipients.  They want all the sending organizations to be findable and
accountable for their actions and for the sending organizations to be able
to be able to understand what it is that they need to do so that the ISP's
will allow their mail to be delivered.

Brondmo also raised an issue of granularity of concept and problems with
understanding who broad an opt-out is meant by individual.  For example, how
does one say, "I still want to get the security updates for the products
that I am currently using but I don't want to get some other types of
email."


Best Practices for End Users
----------------------------

John Morris 
Center for Democracy & Technology 
CDT.org


John Morris presented results from a statistical study conducted by his
organization about how names get onto and off-of spam lists.

    ftp://67.cdt.org/pub/ietf56-asrg-spamreport.ppt
    ftp://67.cdt.org/pub/ietf56-asrg-spamreport.pdf
    www.cdt.org/speech/spam/030319spamreport.shtml

In brief these results say suggest that:

    - most name lists are culled from websites and that minimal
      camouflage of these names is currently enough (though perhaps
      not for long) to prevent the names from being added

    - names are culled from the headers (but not the bodies) of USENET
      postings with some groups be more targeted than others

    - opting out of mailing lists when creating an account on a
      web site works; but that trying to opt out later works less
      frequently. 

    - names are generally not culled from on-line discussion groups

From the floor, other observations were reported

    - dictionary attacks are common against free email accounts and
      that random account names longer than 6 character are not found
      as quickly and often not found at all

    - that opting out from mailing lists tends to work from
      "respectable" companies but" not from sex/get-rich-quick web
      sites


Prosecution of Spammers
-----------------------

John Praed
Internet Law Group

John Praed of the Internet Law Group presented his work on tracking down and
shutting down spammers.  He says that generally follows the money rather
than trying to follow the IP addresses.

His emphasis was on "dividing the room," which is to say, making everyone
who is sending bulk commercial electronic messages declare whether they are
legitimate senders (who believe they have consent) or illicit spammers.

The key idea here is the legitimate senders are willing to be visible and
accountable for their actions.  Praed suggests setting up a mandatory
custodian system (like that required for the Adult Models
(erotica) 18 USC 2257) as key step toward this and points to the success
that these sunshine rules have had in other domains.  He says, for example,
that every erotica site he has seen lists where their custodians of record
are.  The penalties for failing to do so are severe. 

Praed also points to the success of the anti junk-fax laws.

These new laws would be designed to make hiding a sufficiently serious
offense as to remove any commercial incentive from hiding and have much
lesser penalties for email senders that weren't hiding but might
'accidently' send email to unconsenting recipients.

He talks about how "third party conspirators" make the illicit spamming
possible.  These third parties include ISP that are charging above market
rates to shelter spammers and to make sure that they don't key records.

Praed mentioned

     http://www.spamlaws.com

as a good site for getting current legal information about SPAM including
information about state laws.


Progress Reports and Work Items
===============================

Paul Judge
ASRG Chair

Paul stated that even though the group was announced only 3 weeks ago, there
has been much activity and good progress. There are about 450 mailing list
members and have been about 1800 messages so far. 9 high-level work items
have been identified.

Work Items:
Inventory of problems*
Characterization of the problems
        Public Trace Data*
        Spam Measurements
        Spam Categorization
Requirements for solutions*
Taxonomy of solutions*
Identification of need for interoperable systems*
        Spam Test Message
        Opt-out
        Filtered Message Status
Proposals of new solutions*
Evaluation of proposals
Best Practices documents
        End-users
        Mail administrators
        Mass Mailers


Paul then reviewed the inventory of problems and the requirements for
anti-spam systems.

The need for a literature review and comprehensive bibliography was raised
from the floor. Paul responded that a literature review falls in line with
the taxonomy and survey that is being prepared. He found a volunteer to form
the bibliography.

Technical Solutions
===================


Summary of Proposed Authentication Systems
------------------------------------------

Philip Hallam Baker
Verisign

Philip Hallam Baker of Verisign presented a system for having mailers
publish an authentication method via the existing MX (DNS) system and that
this would make it impossible for mailer systems to be impersonated.  This
system would support certificate based authentication.

He referenced Paul Vixie's similar work (MAPS) on embedding the
authentication into SMTP (MAIL FROM).


A Consent-Based Architecture
----------------------------

David Brussin
ePrivacy Group


David Brussin of ePrivacy Group made a presentation on a system based on
sender authentication and third party "trust stamps"


SHRED: Spam Harrassment via Economic Disincentives
--------------------------------------------------


Balachander Krishamurthy 
ATT Research Labs

Balachander Krishamurthy of ATT Research Labs presented a paper on using
"stamps" to provide economic disincentives against spamming.  These stamps
would have appropriate cryptographic properties so as to be unforgeable and
would allow an recipient who received unwanted mail to "cancel" the stamp
and force the sender to pay real money.

This system can have variable price stamps and has the virtue that it does
not add expense to legitimate mail traffic.  It can be used in conjunction
with white lists, black lists, filters and other technologies.

An implementation exists in about 1,000 lines of code.

He reports that currently two of the world's largest ISP's are considering
adopting it.

The will be made available at
 
    http://www.research.att.com/~bala/papers/





[end]
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>