• United States

MIT Spam Conference looks beyond filters

Jan 17, 20044 mins
Enterprise ApplicationsMalwareSecurity

Leading researchers into spam e-mail, along with some of its victims, gathered on the campus of the Massachusetts Institute of Technology (MIT) Friday for the second annual MIT Spam Conference.

While last year’s event provided a forum for those championing the use of spam filters to stop unwanted e-mail solicitations, the 2004 Spam Conference was notable for discussions of a whole spectrum of spam-fighting tools, from the use of authentication to verify e-mail senders, to lawsuits that target individual spammers.

Bayesian filters, which identify spam by assigning statistical probabilities to message content, were again a focus of discussion at the conference. The filters have made it much harder for spammers to get messages through to users, but they have not stemmed the tide of spam, according to interviews with conference attendees.

Despite the wide use of spam filters, 70% of the e-mail messages received by Microsoft’s Hotmail Web-based e-mail service are spam messages, according to Geoff Hulten, a spam researcher for Microsoft.

“The Bayesian solution is useful, but it just sweeps the spam problem under the rug. The spam is still there clogging up your system,” said Keith Ivey of Smokescreen Consulting in Washington, D.C.

Researchers discussed ways to improve the performance and accuracy of Bayesian filters, such as deploying them on servers rather than on e-mail clients.

However, just as much discussion was given to other techniques that could be used in conjunction with filters, or in place of them.

Speaking on the topic of suing spammers, John Praed of the Internet Law Group said that spam filter writers needed to work in conjunction with law enforcement to help build cases and bring legal action against spammers.

E-mail providers and law enforcement must also be more savvy about using existing laws to stop activities that support spammers, such as e-mail harvesting from Web pages, said Matthew Prince, cofounder of UnSpam.

E-mail providers can include language on Web pages that makes address harvesting and other activities illegal. Such technologically simple steps would help cast spammer activities like address harvesting in terms that courts understand, such as “breach of contract,” he said.

Providers could even use provisions of the Digital Millennium Copyright Act (DMCA) to go after spammers by declaring e-mail addresses trade secrets, Prince suggested, drawing groans from many in the audience.

More than one speaker touched on the need to better secure e-mail exchanges, making it harder for spammers to use faked (or “spoofed”) e-mail addresses to circumvent antispam technology.

Representatives from Yahoo were also in attendance to talk about that company’s support for user authentication to fight spam.

“If you know with certainty who the sender is, you know for certain whether the message is spam,” said Laura Yecies, senior director of mail products at Yahoo.

Yahoo is championing the use of so-called “domain keys,” which use public key encryption technology at the domain level to verify the sender of e-mail messages.

Using domain keys, Internet service providers (ISPs) can allow authenticated e-mail messages to bypass spam filters, freeing up resources to interrogate unauthenticated messages, she said. Unlike similar services offered by certificate authorities such as VeriSign, domain key technology would be offered for free and available to even small online businesses, Yecies said.

However, there must be widespread adoption of the domain keys model in order for it to be effective in stopping spam. Yahoo is working on a proposal to implement an authentication system in conjunction with the top six ISPs, she said.

Despite the wealth of legal and technological tools at the disposal of spam fighters, including a new federal antispam law in the U.S., most at the 2004 Spam Conference agreed that it was unlikely spam would be wiped out anytime soon.

Spammers can easily move their operations offshore to avoid legal problems and use networks of loosely protected home computers to disguise the source of spam e-mail, Praed said.

However, there was a growing sense that antispam efforts were taking a toll on spammers — if only in raising the cost of doing business through lawsuits, precise filtering and other approaches.

Evidence of that may have come from the presence in the audience of representatives from online mailing lists and direct marketing companies that have become the target of spam filters and antispammers.

“I’m here listening and absorbing,” said Rob Edwards, director of information technology at Royall, a direct marketing company that works on behalf of around 150 universities to reach college-bound high school students using “high volume e-mail.”

Edwards saw the 2004 Spam Conference as a way to “stay in touch with all segments of the industry” and said that Royall is interested in staying on the “right side” of the spam issue.