-----Original Message-----
From: Dave Crocker [mailto:dcrocker(_at_)brandenburg(_dot_)com]
Sent: Saturday, July 05, 2003 12:09 PM
To: Paul Judge
Cc: 'Barry Shein'; 'Yakov Shafranovich'; 'asrg(_at_)ietf(_dot_)org'
Subject: Re: [Asrg] 2. - Spam Characterization - Possible
Measurements (was : RE: Two ways to look at spam)
Paul,
Permit me to ask a difficult question:
PJ> Here is a list of characteristics that I'd put together.
Why?
There are many reasons why one would want to understand characteristics of a
problem as a fundamental step towards attempting to solve that problem.
Essentially all of the characteristics that you have listed
are no better than second-order. That is, they are not key
characteristics to spam, but rather they are characteristics
of some spam today.
Spam measurement and characterization should not be confused with the
inventory of problems list. Spam characterization seeks to understand the
current state of the problem (read symptoms). The inventory of problems list
seeks to look at the reason for the problem or the core attributes that
allow the actions taken by spammers that result in these symptoms.
Let's say that a sender of spam changed their operation, so
that they committed none of the sins, and showed none of the
characteristics, that you listed. Could they still send spam?
I believe the answer is yes.
Perhaps some incorrect assumptions were made about why these characteristics
are important.
Your question above also assumes that spammers can change their operation to
avoid exhibiting ALL of these characteristics. I believe that to not be
accurate.
Secondly, your question asks if they could still SEND spam. In some cases,
our goal is not to stop them from sending spam, but just to be able to
DETECT the spam. Now, the question should be 'Will we be able to detect
and/or prevent the spam?'
The two questions underneath all of this are: 1) Is this characteristic an
effective indicator of spam? And 2) Can they change the characteristic?
There are four possible situations, but three that matter:
Question 1: Yes. Question 2: Yes.
Means: Valid indicator now, but not necessarily in the future.
A number of these characteristics provide a good indication of spam
messages. Even though spammers are able to change some of these
characteristics: some of it changes and some of it does not. Either way,
currently they provide effective means of spam detection. Also, realizing
that these characteristics evolve, the good spam detection systems have
also. See any heuristics-based spam detection system for reference. Problems
arise when a system creator mistakenly assumes that one of these
characteristics can not change.
Question 1: Yes. Question 2: No.
Means: Valid indicator now and moving forward:
This provide a good point of focus for new proposals. One quick example of
such a characteristic is the call-for-action. Most (not all) spam messages
include and must continue to include some call-for-action. There are of
course exceptions such as spam sent for the sake of sending and the
possibility of brand awareness spam that does not directly attempt to sell
anything.
Question 1: No.
Means: Not a valid indicator now:
Some of these characteristics do not provide a strong enough indication;
therefore we should not focus on detecting or preventing those. Such a
measurement study could make a strong statement about the usefulness of
certain paths that are being considered.
Otherwise, all that you are doing is focusing on side-effects.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg