Major Internet Standards Group Working On Fast Plan To Can Spam
That's not the interesting part. Everybody has a plan to end spam these days.
But the work the Anti-Spam Research Group is doing is different. The ASRG has the prestige to get its proposals put in place. The group is affiliated with the Internet Engineering Task Force (IETF), which sets the standards for the fundamental technologies that make the Internet possible.
The ASRG expects quick results, with initial technologies that will take a big bite out of spam being deployed within months, and other key technologies being deployed in one to two years. Within two years, ASRG chairman Paul Judge said he expects to see the proposed "consent-based communications framework" in place for e-mail, although work would be ongoing to keep it up-to-date.
"One of the advantages we have is that the entire community is involved," said Judge, who is also chief technology officer for e-mail filtering service provider CipherTrust. "This is a unique situation, where competing companies are working on the same problem, including large Internet service providers and e-mail security companies. We have an opportunity to deploy solutions in an effective and quick cycle here."
Among the technologies being standardized by the ASRG are:
- Simple authentication technology for e-mail, which Judge said will likely be implemented by Internet service providers and enterprise mail systems within several months, making it difficult for spammers to hide behind falsified sender addresses.
- "Trusted sender" technology to identify e-mail senders who can be trusted not to send spam and other unwanted e-mail.
- Reputation systems to allow everyone on the Internet to cooperate in identifying good and bad e-mail senders. -- similar to the reputation management systems used by buyers and sellers to rate each other on eBay.
- Interfaces for client-side tools to allow end-users to report spam, and opt out of legitimate e-mail that they no longer wish to receive.
- Developing a set of best practices for challenge-response e-mail systems, which are gaining popularity but which have the potential to create problems.
- A proposal to allow end-users to charge senders a fine using micropayments for sending unsolicited e-mail, if it turns out the end-user didn't want to get the e-mail.
- A major principle being used by the ASRG is to avoid getting into arguments about the definition of spam. Since different groups have different definitions of spam, the ASRG is sidestepping the question and instead focusing on developing technologies to allow e-mail administrators and end-users to avoid unwanted e-mail, which would include spam, newsletters once subscribed to but now no longer desired, and all other forms of e-mail that the users don't want to receive.
- A second principle being followed by the ASRG is that they're looking to extend existing e-mail technology, rather than replace it, Judge said.
- One of the first steps being taken is to introduce lightweight authentication and accountability into e-mail. Currently, it's easy to forge any information in an SMTP transaction, including the sender. "A spammer sitting somewhere in the world claims that his messages are from [email protected], and sends a half a million messages in a spam flood," Judge said. Recipients find it difficult to figure out the real source of the e-mail. "Another problem is that [email protected] may be a real e-mail address out there. As the spam is sent, he is blamed for the spam." The real [email protected] gets inundated with a flood of error messages and complaints.
- The ASRG is standardizing technology called Reverse MX, which would allow a mail server receiving a message to query the domain that a message purports to be from, asking if the server that sent the mail is authorized to send from that domain. The Reverse MX service would be an add-on to the existing Domain Name Service (DNS). Microsoft, Yahoo and America Online are jointly working on similar technology, and the ASRG is working with the three big consumer Internet service providers to ensure interoperability, Judge said.
- Judge said he expects Internet service providers and enterprise e-mail systems to implement Reverse MX within several months, as a simple add-on to existing mail systems. At that point, it will become significantly more difficult to forge the sender addresses of e-mail.
- The ASRG is also looking into standardizing means for e-mail senders to express that the recipient has given consent to receive the e-mail, Judge said. The ASRG is looking into tokens that could be embedded into e-mail, which would demonstrate that the receiver of the mail gave his permission to receive it. Existing encryption technologies would make the tokens practically unforgeable, Judge said. These sort of "trusted sender" programs are being pushed forward by several organizations: The ePrivacy Group and E-Mail Service Provider Coalition are working on trusted sender programs, called the Trusted E-Mail Open Standard (TEOS) and Project Lumos, respectively. In a recent U.S. Senate Commerce Committee hearing, Microsoft Chairman Bill Gates sent a letter endorsing creation of a federally overseen trusted sender program. And Habeas takes a different tack at trusted sender: rather than encrypting a token in e-mail, Habeas puts a plain-text haiku into headers of its clients' e-mail, and then sues companies using copyright law if they abuse the Habeas terms of service.
- Reputation systems being standardized by the ASRG would allow mail servers to share information about e-mail senders. Bouncebacks and complaints would be shared between e-mail servers, and the information would be used to allow e-mail administrators to set policies on which servers they'd receive e-mail from, and which servers to block. The reputation system would be implemented in a decentralized way, similar to the existing, open source Vipul's Razor spam-filtering network, Judge said. Razor is implemented commercially in CloudMark software. CipherTrust introduced its own version of reputation-management technology for e-mail in March.
- Judge said he expects reputation management systems to be standardized in one to two years.
- The ASRG is also working on some standardized interfaces for client-side technology. "There are definitely advantages to some systems that have a 'This Is Spam' button," Judge said. "But one thing that we noticed is that, for systems like Yahoo and AOL that have a 'This Is Spam' button, people often use it to indicate messages that they actually signed up for at some point. Rather than go through the process of unsubscribing, they report it as spam. End-users think, 'If I press this button, the system will stop delivering it to me, and that's a lot easier.'" The ASRG is working on developing standard for an "Opt Out" button, that will sit next to the "This Is Spam" button, and allow end-users to unsubscribe from the e-mail they no longer wish to receive. "We're looking at methods of standardizing an opt-out protocol," Judge said.
- Judge said he expects standard "this is spam" and "opt out" technologies to be available within a year.
- The ASRG divides e-mail control systems into three categories: deterrence, prevention and detection. Traditional spam-blocking systems focus on detection, or finding spam. Messages are innocent-until-proven-guilty, assumed legitimate until and unless spam-blocking software tags the messages as spam.
- Prevention-based systems take the opposite approach, creating "whitelists" of approved senders and types of e-mail and assuming all unknown e-mail is undesired. These include challenge-response systems, where unknown e-mail senders automatically receive responses requiring them to take some action -- send a reply, fill out a Web form -- that allows their messages to be released for delivery. Challenge-response systems have been implemented by companies including MailBlocks and Sunbelt Software, and Earthlink is reportedly testing challenge-response systems for its members.
- Challenge-response systems work well with consumers who exchange e-mail with a static group of people, not so well with business users who might receive important e-mail from people they've never corresponded with before, Judge said. "In the enterprise, the list of people you communicate with is dynamic. People e-mail to ask for more information about a product, and what are you going to do, send a challenge back to make them prove they are not spammers?" Judge said. "For one company we work with, a single order might be worth $10 million, and they cannot afford to miss a message. One missed message can cost this company $10 million."
- Moreover, challenge-response systems can create problem for users subscribed to mailing lists, can break down if two users with a challenge-response systems attempt to communicate with each other, and add to the overall network traffic burden created by spam.
- The ASRG is working on a set of best practices and recommendations for challenge-response systems.
- And the ASRG is looking into micropayment systems designed to shift the cost of e-mail from the receiver to the sender. One proposal, form AT&T, is called Spam Harassment Reduction Via Economic Disincentive (SHRED). SHRED would be applied only to unsolicited e-mail. The end-user can charge senders a per-message fine for unsolicited messages that the end-user does not want to receive. That fine would be paid to the receiver's Internet service provider or to the enterprise, to cover the cost of processing unsolicited e-mail.
- Microsoft has proposed a system similar to SHRED, which it calls Penny Black.
- "Anybody would have the ability to send any amount of unsolicited bulk e-mail they wish, but they would have to be willing to pay the cost," Judge said.
- Judge said government regulation and legislation should be used to make it illegal to attempt to circumvent or forge the measures put in place for consent based e-mail systems, similar to existing legislation and regulations governing computer attacks and intrusion prevention.