1. Technology Considerations for Spam Control 3 rd AP Net Abuse Workshop Busan 2003.8.25 Dave Crocker Brandenburg InternetWorking dcrocker@brandenburg.com

2. 2 What we will discuss Derived from  We need a “framework” for spam  Technical response to a social problem  Points of control in the email architecture  How do the components provide opportunities?  We need a framework for spam control  What is practical and effective on a global scale?  Evaluating proposals  Carefully consider any changes to global infrastructure

3. 3 What is Spam? Challenges  No clear community consensus on definition  Strong on emotion  Weak on useful discussion  Minor, transient technical differences from other mail (!)  Internet mechanisms are expensive to implement  We must ensure they will quickly be effective for extended time Sample Definitions 1.Whatever the sender decides  This means we cannot provide institutional enforcement 2.Unsolicited Commercial  Religious, political, and “crazies” are just as problematic 3.Unsolicited Bulk  Focus on consent/permission  Focus on aggregate traffic

4. 4 Experience of Spam  It is very serious, and it is getting worse  It is probably permanent, like cockroaches  It probably can be controlled to an acceptable level  But spammers are smart and adaptable  Likely to require an array of techniques  Legal, administrative, and filtering  Service providers and users  Collaborative and independent  Simple rules and statistical heuristics

5. 5 Types of Spammers  Accountable  Legitimate businesses engaging in aggressive marketing, in the absence of formal rules  Rogue  Actively avoid accountability  Likely to always have “safe haven”  Not always seeking money

6. 6 Email Points of Control UA = User Agent MTA = Message Transfer Agent o =originator i = intermediate r = recipient MTA r UA r UA o MTA o DNS MTA i1 MTA i2  Accountability  Filtering  Enforcement  Accountability  Filtering  Enforcement  Filtering

7. 7 Types of Control Proactive  Accountability  Sender/author  Sending host  Enforcement  Laws and contracts  Scope of control?  Sufficiently objective rules?  Avoids negative side-effects Reactive (filtering)  Detection  Source or destination  Content  Aggregate traffic  Action  Divert or delete  Label  Notification

8. 8 Filtering  Detection CriteriaAttribute, semantic, process Match the criteria? Positive vs. negative Likelihood of error? False positive or negative Explicitly registered? Whitelist or blacklist  Disposition Accept or RejectDanger if not recipient Label the messageStill requires action Notify interested partiesThen do what?

9. 9 Evaluating Proposals  Adoption  Effort to adopt proposal  Effort for ongoing use  Balance among participants  Threshold to benefit  Operations impact on  Adopters of proposal  Others  Internet scaling – What if…  Use by everyone  Much bigger Internet  Robustness  How easily circumvented  System metrics  Cost  Efficiency  Reliability  Impact  Amount of Net affected  Amount of spam affected  Test scenarios  Personal post/Reply  Mailing List  Inter-Enterprise

10. 10 A Sample Array of Efforts  Terminology and labels  UA/MTA spam information exchange  Provide examples and filter rules  Message authentication  Not the same as content authentication  MTA/MTA reporting  Collaborate on aggregate traffic analysis

11. 11 In summary  Changes to complex systems always have unintended, negative consequences  We must attack spam, but we must attack it carefully  Attacking superficial spam characteristics invites an arms race  Constantly “improving” tools, but constantly failing to reach a stable level of effectiveness  Adequate solutions for one constituency might be inappropriate for another  Look at their communications styles