1. RUCUS - IETF 71 1 Lessons Learned From IETF Email Antispam Work Jim Fenton

2. RUCUS - IETF 71 2 Email Antispam work in IETF?  AntiSpam Research Group in IRTF Meets Tuesday afternoon  Two WGs have focused on email authentication MARID (2004) DKIM (2006-present)  Authentication to establish identity + authorization considered useful Provides base for reputation, whitelists, etc. Relief from false positives on messages from known, desirable senders  Strong opinions everywhere!

3. RUCUS - IETF 71 3 Legacy  Legacy makes change difficult Email has more legacy than VoIP But the PSTN has a lot more legacy than Email!  Capability for anonymity is essential But Anonymity  Spoofing Some spoofing is desired by users (“mail an article”)  Can the recipient trust the {caller’s, author’s} identity? Generally, no PSTN lacks display mechanisms for Caller ID trust, even if we could decide how to populate it Similarly, email UIs generally don’t display authentication

4. RUCUS - IETF 71 4 Comparing Email and Voice  Decision can include message content  Difficult to establish trust basis for large domains, especially free services  Real-time recipient input rarely available to aid decision- making  Fraud (phishing), malware delivery significant problems  “Horse has left the barn”: spam rampant  Decision must be made in real-time prior to connection  Difficult to establish accountability for PSTN addresses  Recipient may be available to provide input to call acceptance process  Voice fraud probably more insidious; malware TBD  Some spam, but generally under control, for now EmailVoice

5. RUCUS - IETF 71 5 Conclusions  Email experience shows that economics are ripe for floods of VoIP spam  VoIP spam is likely to be much more intrusive than email spam  A bit early to evaluate the benefit of email authentication on spam management But voice services can’t wait for the answer  Interworking between PSTN and VoIP likely to be very difficult