Last Modified: 2003-02-03
Chair
The ASRG Chair is Paul Judge paul.judge@ciphertrust.com.Mail List
The email list is asrg@ietf.org. You must be a list member to send mail to the list. Subscribe via asrg-request@ietf.org. An archive of the email list is available at the ASRG mail archive.Web Site
The main ASRG web site is at www.irtf.org/asrg.Description
The Anti-Spam Research Group (ASRG) focuses on the problem of unwanted email messages, loosely referred to as spam. The scale, growth, and effect of spam on the Internet have generated considerable interest in addressing this problem. Once considered a nuisance, spam has grown to account for a large percentage of the mail volume on the Internet. This unwanted traffic stands to affect local networks, the infrastructure, and the way that people use email.The definition of spam messages is not clear and is not consistent across different individuals or organizations. Therefore, we generalize the problem into "consent-based communication". This means that an individual or organization should be able to express consent or lack of consent for certain communication and have the architecture support those desires. Expressing consent is more straightforward on an individual basis; as the solution is moved closer to the source, it is more difficult to express a policy that satisfies all downstream receivers. The research group will investigate the feasibility of: (1) a single architecture that supports this and (2) a framework that allows different systems to be plugged in to provide different pieces of the solution.
Possible components of such a framework may include:
Note that "consent" need not necessarily be in advance. It is within scope for ASRG to consider frameworks in which receivers express their lack of consent only after having received a message.
- Consent Expression Component: This involves recipients expressing a policy that gives consent or non-consent for certain types of communications
- Policy Enforcement Component: This involves subsystems within the communication system that enforce the policy. The overall framework may involve multiple subsystems within the policy enforcement component. This may involve fail-open or fail-closed approaches. With a fail-open approach, the system must identify messages that do not have consent. For example, this may include approaches that determine the nature of a message based on its characteristics or input from a collaborative filtering system. With a fail-closed approach, the system must identify messages that do have consent and only allow those to be delivered. For example, consent may be expressed by a policy, by a "consent token" within the message, or by some payment that essentially purchases consent or delivery rights.
- Source Tracking Component: This component provides deterrence to parties that consider violating the policy by facilitating identification and tracking of senders that violate the policy. This may require non-repudiation at the original sender, the sender's ISP, or some other entities involved in the communication system.
The purpose of the ASRG is to understand the problem and collectively propose and evaluate solutions to the problem. While some techniques focus on local text classification approaches, many traditional and evolving techniques include approaches that involve new network architectures or changes to the existing applications and protocols.
ASRG will investigate the spam problem as a large-scale network problem. The ASRG will begin its work by developing a taxonomy of the problem and the proposed solutions. This taxonomy should involve casting the spam problem into different perspectives, such as examining the similarities between spam and denial-of-service; spam and intrusion detection/prevention; and spam and authentication, authorization, and accounting.
ASRG will consider the issues of deployment for proposed solutions, emphasizing the investigation of methods that have a realistic chance of wide-scale deployment.
The work of the ASRG will also include investigating techniques to evaluate the usefulness and cost of proposed solutions. Usefulness is described by the effectiveness, accuracy, and incentive structure of the system. The cost of the system refers to the burden imposed on users and operators of the communications system. These costs include any changes to the normal use of the system or actual changes in the monetary costs of using the system. The group will investigate evaluation infrastructures such as public trace data archives and research tools to measure and analyze the problem and the solutions.
ASRG will not pursue research into legal issues of spam, other than the extent to which these issues affect, support, or constrain the technology.
The ASRG may develop certain technologies that could serve as a starting point for standardization efforts within the IETF, possibly in terms of the evolution of SMTP. The ASRG will strive to leverage the work of other IETF and IRTF groups as appropriate.
The ASRG is an open IRTF RG. The meetings and mailing list are open to all participants. Participants are encouraged to be deeply knowledgeable of the literature and current technologies related to spam, Internet messaging, networking, and security.
The ASRG meetings will be held 2-3 times a year generally concurrent with IETF meetings and possibly concurrent with other conferences.
Anti Spam Research Group (ASRG) Meeting March 20, 2003 9:00 am Recorded by: Russell Brand The first meeting of the IETF Anti Spam Research Group (APRG) was held in San Francisco on Thursday, March 20, 2003. Approximately 200 people attended. Paul Judge chaired the meeting. The meeting consisted of a set of prepared talks with questions from the floor. There were four sets of talks: * charter review * background * progress reports * technical solutions Charter Review ============== Paul Judge, ASRG Chair ASRG was formed to UNDERSTAND the problem and collectively PROPOSE and EVALUATE solutions to allow "consent based communication." Laws and economics are part of the environment that our systems must work in. Addressing public policy changes are outside of our charter. We are technical research but cannot be blind to the legal environment and constraints. Evaluation for USEFULNESS should include usefulness over time, since some solutions that worked when first introduced first years ago, no longer are effective. As part of our charter, we are looking for long term solutions so that we are no longer playing this "cat and mouse game." Background Presentations ======================== Problem Scale ------------- Steve Atkins, SpamCon http://word-to-wise.com http://spamcon.org Steve Atkins of SpamCon presented a set of statistics suggesting that SPAM was getting worse at a rate of 9-fold a year; much faster than moore's law. He says that AOL is blocking about a billion piece of spam a day and if the exponential growth of spam continues without some massive improvement in spam blocking, we would each receive about 140,000 pieces of spam per day. Atkins reports: - a 20% *MONTHLY* growth in spam. - that about $650,000,000 spent on antispam products this year. (estimated 4 times that for next year) [Just product costs; burdened personnel costs are much greater.] - according to a British study, $730/year lost productivity per employee to which is a little bit more than absenteeism. - $8,900,000,000/year total cost to corporations. - Estimated cost per employee is $1-$2 for each piece of spam that makes it through the filters. - Abuse compliants and terminations of a spammer, cost $2,000 to $10,0000 per shutdown. Various members of the group offered that they had more reliable statistics as to the scope and growth of the problem and the chair invited them to share these statistics with the group. Among them, Brightmail with Gartner group has published careful statistics going back several years. It is often hard for an ISP to shutdown a spammer even if they want to. The legal/contract actions can be very slow because of badly written contracts, or section of contracts that the sales reps crossed-out. >From the floor, it was pointed out that Spammers can sometimes get injunctions to allow them to stay connected. While the precentage of replies to spam is tiny the absolute numbers are enough to generate millions and millions of dollars of profit. Typical response rates might be one in ten thousand with a profit of 50 dollars from that respondent. National Association of Advertisers Email Service Provider Coalition -------------------------------------------------------------------- Hans Peter Brondmo, Digital Impact Hans Peter Brondmo presented the position of the National Advertisers Initiative Email Service Provider Coalition (NAI/ESP). They feel that they are being tarred with the same brush as the spammers. The members of his organization feel that they are sending advertising and other information to people that have given permission to receive it. His organization objects to their mail (perhaps unintentionally) being blocked by the mechanisms that are used to stop the spammers. His organization calls for greater transparency from both the senders and the recipients. They want all the sending organizations to be findable and accountable for their actions and for the sending organizations to be able to be able to understand what it is that they need to do so that the ISP's will allow their mail to be delivered. Brondmo also raised an issue of granularity of concept and problems with understanding who broad an opt-out is meant by individual. For example, how does one say, "I still want to get the security updates for the products that I am currently using but I don't want to get some other types of email." Best Practices for End Users ---------------------------- John Morris Center for Democracy & Technology CDT.org John Morris presented results from a statistical study conducted by his organization about how names get onto and off-of spam lists. ftp://67.cdt.org/pub/ietf56-asrg-spamreport.ppt ftp://67.cdt.org/pub/ietf56-asrg-spamreport.pdf www.cdt.org/speech/spam/030319spamreport.shtml In brief these results say suggest that: - most name lists are culled from websites and that minimal camouflage of these names is currently enough (though perhaps not for long) to prevent the names from being added - names are culled from the headers (but not the bodies) of USENET postings with some groups be more targeted than others - opting out of mailing lists when creating an account on a web site works; but that trying to opt out later works less frequently. - names are generally not culled from on-line discussion groups >From the floor, other observations were reported - dictionary attacks are common against free email accounts and that random account names longer than 6 character are not found as quickly and often not found at all - that opting out from mailing lists tends to work from "respectable" companies but" not from sex/get-rich-quick web sites Prosecution of Spammers ----------------------- John Praed Internet Law Group John Praed of the Internet Law Group presented his work on tracking down and shutting down spammers. He says that generally follows the money rather than trying to follow the IP addresses. His emphasis was on "dividing the room," which is to say, making everyone who is sending bulk commercial electronic messages declare whether they are legitimate senders (who believe they have consent) or illicit spammers. The key idea here is the legitimate senders are willing to be visible and accountable for their actions. Praed suggests setting up a mandatory custodian system (like that required for the Adult Models (erotica) 18 USC 2257) as key step toward this and points to the success that these sunshine rules have had in other domains. He says, for example, that every erotica site he has seen lists where their custodians of record are. The penalties for failing to do so are severe. Praed also points to the success of the anti junk-fax laws. These new laws would be designed to make hiding a sufficiently serious offense as to remove any commercial incentive from hiding and have much lesser penalties for email senders that weren't hiding but might 'accidently' send email to unconsenting recipients. He talks about how "third party conspirators" make the illicit spamming possible. These third parties include ISP that are charging above market rates to shelter spammers and to make sure that they don't key records. Praed mentioned http://www.spamlaws.com as a good site for getting current legal information about SPAM including information about state laws. Progress Reports and Work Items =============================== Paul Judge ASRG Chair Paul stated that even though the group was announced only 3 weeks ago, there has been much activity and good progress. There are about 450 mailing list members and have been about 1800 messages so far. 9 high-level work items have been identified. Work Items: Inventory of problems* Characterization of the problems Public Trace Data* Spam Measurements Spam Categorization Requirements for solutions* Taxonomy of solutions* Identification of need for interoperable systems* Spam Test Message Opt-out Filtered Message Status Proposals of new solutions* Evaluation of proposals Best Practices documents End-users Mail administrators Mass Mailers Paul then reviewed the inventory of problems and the requirements for anti-spam systems. The need for a literature review and comprehensive bibliography was raised from the floor. Paul responded that a literature review falls in line with the taxonomy and survey that is being prepared. He found a volunteer to form the bibliography. Technical Solutions =================== Summary of Proposed Authentication Systems ------------------------------------------ Philip Hallam Baker Verisign Philip Hallam Baker of Verisign presented a system for having mailers publish an authentication method via the existing MX (DNS) system and that this would make it impossible for mailer systems to be impersonated. This system would support certificate based authentication. He referenced Paul Vixie's similar work (MAPS) on embedding the authentication into SMTP (MAIL FROM). A Consent-Based Architecture ---------------------------- David Brussin ePrivacy Group David Brussin of ePrivacy Group made a presentation on a system based on sender authentication and third party "trust stamps" SHRED: Spam Harrassment via Economic Disincentives -------------------------------------------------- Balachander Krishamurthy ATT Research Labs Balachander Krishamurthy of ATT Research Labs presented a paper on using "stamps" to provide economic disincentives against spamming. These stamps would have appropriate cryptographic properties so as to be unforgeable and would allow an recipient who received unwanted mail to "cancel" the stamp and force the sender to pay real money. This system can have variable price stamps and has the virtue that it does not add expense to legitimate mail traffic. It can be used in conjunction with white lists, black lists, filters and other technologies. An implementation exists in about 1,000 lines of code. He reports that currently two of the world's largest ISP's are considering adopting it. The will be made available at http://www.research.att.com/~bala/papers/ |