2.2.R1 Anti-Spam Research Group (ASRG)

NOTE: This charter is a snapshot of the IRTF Meeting in San Francisco, California USA. It may now be out-of-date.

Last Modified: 2003-02-03

Chair

The ASRG Chair is Paul Judge paul.judge@ciphertrust.com.
Mail List
The email list is asrg@ietf.org. You must be a list member to send mail to the list. Subscribe via asrg-request@ietf.org. An archive of the email list is available at the ASRG mail archive.
Web Site
The main ASRG web site is at www.irtf.org/asrg.
Description
The Anti-Spam Research Group (ASRG) focuses on the problem of unwanted email messages, loosely referred to as spam. The scale, growth, and effect of spam on the Internet have generated considerable interest in addressing this problem. Once considered a nuisance, spam has grown to account for a large percentage of the mail volume on the Internet. This unwanted traffic stands to affect local networks, the infrastructure, and the way that people use email.

The definition of spam messages is not clear and is not consistent across different individuals or organizations. Therefore, we generalize the problem into "consent-based communication". This means that an individual or organization should be able to express consent or lack of consent for certain communication and have the architecture support those desires. Expressing consent is more straightforward on an individual basis; as the solution is moved closer to the source, it is more difficult to express a policy that satisfies all downstream receivers. The research group will investigate the feasibility of: (1) a single architecture that supports this and (2) a framework that allows different systems to be plugged in to provide different pieces of the solution.

Possible components of such a framework may include:

Note that "consent" need not necessarily be in advance. It is within scope for ASRG to consider frameworks in which receivers express their lack of consent only after having received a message.

The purpose of the ASRG is to understand the problem and collectively propose and evaluate solutions to the problem. While some techniques focus on local text classification approaches, many traditional and evolving techniques include approaches that involve new network architectures or changes to the existing applications and protocols.

ASRG will investigate the spam problem as a large-scale network problem. The ASRG will begin its work by developing a taxonomy of the problem and the proposed solutions. This taxonomy should involve casting the spam problem into different perspectives, such as examining the similarities between spam and denial-of-service; spam and intrusion detection/prevention; and spam and authentication, authorization, and accounting.

ASRG will consider the issues of deployment for proposed solutions, emphasizing the investigation of methods that have a realistic chance of wide-scale deployment.

The work of the ASRG will also include investigating techniques to evaluate the usefulness and cost of proposed solutions. Usefulness is described by the effectiveness, accuracy, and incentive structure of the system. The cost of the system refers to the burden imposed on users and operators of the communications system. These costs include any changes to the normal use of the system or actual changes in the monetary costs of using the system. The group will investigate evaluation infrastructures such as public trace data archives and research tools to measure and analyze the problem and the solutions.

ASRG will not pursue research into legal issues of spam, other than the extent to which these issues affect, support, or constrain the technology.


Coordination
The ASRG may develop certain technologies that could serve as a starting point for standardization efforts within the IETF, possibly in terms of the evolution of SMTP. The ASRG will strive to leverage the work of other IETF and IRTF groups as appropriate.

Membership
The ASRG is an open IRTF RG. The meetings and mailing list are open to all participants. Participants are encouraged to be deeply knowledgeable of the literature and current technologies related to spam, Internet messaging, networking, and security.

Meetings
The ASRG meetings will be held 2-3 times a year generally concurrent with IETF meetings and possibly concurrent with other conferences.

Current Meeting Report

Anti Spam Research Group (ASRG) Meeting 
March 20, 2003 
9:00 am 

Recorded by: Russell Brand 

The first meeting of the IETF Anti Spam Research Group (APRG) was held in San
Francisco on Thursday, March 20, 2003. Approximately 200 people attended. 

Paul Judge chaired the meeting. 

The meeting consisted of a set of prepared talks with questions from the
floor. There were four sets of talks: 

* charter review 

* background 

* progress reports 

* technical solutions 


Charter Review 
============== 
Paul Judge, ASRG Chair 

ASRG was formed to UNDERSTAND the problem and collectively PROPOSE and
EVALUATE solutions to allow "consent based communication." 


Laws and economics are part of the environment that our systems must work in.
Addressing public policy changes are outside of our charter. We are technical
research but cannot be blind to the legal environment and constraints. 

Evaluation for USEFULNESS should include usefulness over time, since some
solutions that worked when first introduced first years ago, no longer are
effective. As part of our charter, we are looking for long term solutions so
that we are no longer playing this "cat and mouse game." 


Background Presentations 
======================== 

Problem Scale 
------------- 
Steve Atkins, SpamCon 

http://word-to-wise.com 
http://spamcon.org 

Steve Atkins of SpamCon presented a set of statistics suggesting that SPAM was
getting worse at a rate of 9-fold a year; much faster than moore's law. 


He says that AOL is blocking about a billion piece of spam a day and if the
exponential growth of spam continues without some massive improvement in spam
blocking, we would each receive about 140,000 pieces of spam per day. 

Atkins reports: 

- a 20% *MONTHLY* growth in spam. 

- that about $650,000,000 spent on antispam products this year. (estimated 4
times that for next year) [Just product costs; burdened personnel costs are
much greater.] 

- according to a British study, $730/year lost productivity per employee to
which is a little bit more than absenteeism. 

- $8,900,000,000/year total cost to corporations. 

- Estimated cost per employee is $1-$2 for each piece of spam that makes it
through the filters. 

- Abuse compliants and terminations of a spammer, cost $2,000 to $10,0000 per
shutdown. 

Various members of the group offered that they had more reliable statistics as
to the scope and growth of the problem and the chair invited them to share
these statistics with the group. 

Among them, Brightmail with Gartner group has published careful statistics
going back several years. 


It is often hard for an ISP to shutdown a spammer even if they want to. The
legal/contract actions can be very slow because of badly written contracts, or
section of contracts that the sales reps crossed-out. 

>From the floor, it was pointed out that Spammers can sometimes get
injunctions to allow them to stay connected. 

While the precentage of replies to spam is tiny the absolute numbers are
enough to generate millions and millions of dollars of profit. Typical
response rates might be one in ten thousand with a profit of 50 dollars from
that respondent. 


National Association of Advertisers Email Service Provider Coalition 
-------------------------------------------------------------------- 

Hans Peter Brondmo, Digital Impact 

Hans Peter Brondmo presented the position of the National Advertisers
Initiative Email Service Provider Coalition (NAI/ESP). They feel that they are
being tarred with the same brush as the spammers. The members of his
organization feel that they are sending advertising and other information to
people that have given permission to receive it. 

His organization objects to their mail (perhaps unintentionally) being blocked
by the mechanisms that are used to stop the spammers. 

His organization calls for greater transparency from both the senders and the
recipients. They want all the sending organizations to be findable and
accountable for their actions and for the sending organizations to be able to
be able to understand what it is that they need to do so that the ISP's will
allow their mail to be delivered. 

Brondmo also raised an issue of granularity of concept and problems with
understanding who broad an opt-out is meant by individual. For example, how
does one say, "I still want to get the security updates for the products that
I am currently using but I don't want to get some other types of email." 


Best Practices for End Users 
---------------------------- 

John Morris 
Center for Democracy & Technology 
CDT.org 


John Morris presented results from a statistical study conducted by his
organization about how names get onto and off-of spam lists. 

ftp://67.cdt.org/pub/ietf56-asrg-spamreport.ppt 
ftp://67.cdt.org/pub/ietf56-asrg-spamreport.pdf 
www.cdt.org/speech/spam/030319spamreport.shtml 

In brief these results say suggest that: 

- most name lists are culled from websites and that minimal camouflage of
these names is currently enough (though perhaps not for long) to prevent the
names from being added 

- names are culled from the headers (but not the bodies) of USENET postings
with some groups be more targeted than others 

- opting out of mailing lists when creating an account on a web site works;
but that trying to opt out later works less frequently. 

- names are generally not culled from on-line discussion groups 

>From the floor, other observations were reported 

- dictionary attacks are common against free email accounts and that random
account names longer than 6 character are not found as quickly and often not
found at all 

- that opting out from mailing lists tends to work from "respectable"
companies but" not from sex/get-rich-quick web sites 


Prosecution of Spammers 
----------------------- 

John Praed 
Internet Law Group 

John Praed of the Internet Law Group presented his work on tracking down and
shutting down spammers. He says that generally follows the money rather than
trying to follow the IP addresses. 

His emphasis was on "dividing the room," which is to say, making everyone who
is sending bulk commercial electronic messages declare whether they are
legitimate senders (who believe they have consent) or illicit spammers. 

The key idea here is the legitimate senders are willing to be visible and
accountable for their actions. Praed suggests setting up a mandatory custodian
system (like that required for the Adult Models (erotica) 18 USC 2257) as key
step toward this and points to the success that these sunshine rules have had
in other domains. He says, for example, that every erotica site he has seen
lists where their custodians of record are. The penalties for failing to do so
are severe. 

Praed also points to the success of the anti junk-fax laws. 

These new laws would be designed to make hiding a sufficiently serious offense
as to remove any commercial incentive from hiding and have much lesser
penalties for email senders that weren't hiding but might 'accidently' send
email to unconsenting recipients. 

He talks about how "third party conspirators" make the illicit spamming
possible. These third parties include ISP that are charging above market rates
to shelter spammers and to make sure that they don't key records. 

Praed mentioned 

http://www.spamlaws.com 

as a good site for getting current legal information about SPAM including
information about state laws. 


Progress Reports and Work Items 
=============================== 

Paul Judge 
ASRG Chair 

Paul stated that even though the group was announced only 3 weeks ago, there
has been much activity and good progress. There are about 450 mailing list
members and have been about 1800 messages so far. 9 high-level work items have
been identified. 

Work Items: 
Inventory of problems* 
Characterization of the problems 
Public Trace Data* 
Spam Measurements 
Spam Categorization 
Requirements for solutions* 
Taxonomy of solutions* 
Identification of need for interoperable systems* 
Spam Test Message 
Opt-out 
Filtered Message Status 
Proposals of new solutions* 
Evaluation of proposals 
Best Practices documents 
End-users 
Mail administrators 
Mass Mailers 


Paul then reviewed the inventory of problems and the requirements for
anti-spam systems. 

The need for a literature review and comprehensive bibliography was raised
from the floor. Paul responded that a literature review falls in line with the
taxonomy and survey that is being prepared. He found a volunteer to form the
bibliography. 

Technical Solutions 
=================== 


Summary of Proposed Authentication Systems 
------------------------------------------ 

Philip Hallam Baker 
Verisign 

Philip Hallam Baker of Verisign presented a system for having mailers publish
an authentication method via the existing MX (DNS) system and that this would
make it impossible for mailer systems to be impersonated. This system would
support certificate based authentication. 

He referenced Paul Vixie's similar work (MAPS) on embedding the authentication
into SMTP (MAIL FROM). 


A Consent-Based Architecture 
---------------------------- 

David Brussin 
ePrivacy Group 


David Brussin of ePrivacy Group made a presentation on a system based on
sender authentication and third party "trust stamps" 


SHRED: Spam Harrassment via Economic Disincentives 
-------------------------------------------------- 


Balachander Krishamurthy 
ATT Research Labs 

Balachander Krishamurthy of ATT Research Labs presented a paper on using
"stamps" to provide economic disincentives against spamming. These stamps
would have appropriate cryptographic properties so as to be unforgeable and
would allow an recipient who received unwanted mail to "cancel" the stamp and
force the sender to pay real money. 

This system can have variable price stamps and has the virtue that it does not
add expense to legitimate mail traffic. It can be used in conjunction with
white lists, black lists, filters and other technologies. 

An implementation exists in about 1,000 lines of code. 

He reports that currently two of the world's largest ISP's are considering
adopting it. 

The will be made available at 

http://www.research.att.com/~bala/papers/ 

Slides

Introduction to the Anti-Spam Research Group
Size and Cost of the Problem
Solving Spam By Establishing A Platform For Sender Accountability
Best Practices for End Users
An Overview of the Law on Spam
Work Items
Taxonomy
Authentication Approaches
SHRED