Leading researchers into spam e-mail, along with some of
its victims, gathered at the second annual Massachusetts Institute
of Technology spam conference last week.
This year's spam conference focused mainly on a spectrum of
spam-fighting tools, from the use of authentication to verify
e-mail senders, to lawsuits that target individual spammers.
Bayesian filters, which identify spam by assigning statistical
probabilities to message content, were again a focus of discussion
at the conference. The filters have made it much harder for
spammers to get messages through to users, but they have not
stemmed the tide of spam.
Despite the wide use of spam filters, 70% of the e-mail messages
received by Microsoft's Hotmail web-based e-mail service are spam
messages, according to Geoff Hulten, a spam researcher for
Microsoft.
"The Bayesian solution is useful, but it just sweeps the spam
problem under the rug. The spam is still there clogging up your
system," said Keith Ivey of Smokescreen Consulting.
Researchers discussed ways to improve the performance and
accuracy of Bayesian filters, such as deploying them on servers
rather than on e-mail clients.
However, just as much discussion was given to other techniques
that could be used in conjunction with filters, or in place of
them.
John Praed of the Internet Law Group said that spam filter
writers needed to work with law enforcement agencies to help build
cases and bring legal action against spammers.
E-mail providers and law enforcement must also be more savvy
about using existing laws to stop activities that support spammers,
such as e-mail harvesting from web pages, said Matthew Prince,
co-founder of UnSpam.
E-mail providers can include language on web pages that makes
address harvesting and other activities illegal. Such
technologically simple steps would help cast spammer
activities such as address harvesting in terms that courts
understand, such as "breach of contract", he said.
Providers could even use provisions of the Digital Millennium
Copyright Act (DMCA) to go after spammers by declaring e-mail
addresses trade secrets, Prince suggested.
More than one speaker touched on the need to better secure
e-mail exchanges, making it harder for spammers to use faked (or
"spoofed") e-mail addresses to circumvent antispam technology.
Representatives from Yahoo were also in attendance to talk about
that company's support for user authentication to fight spam.
"If you know with certainty who the sender is, you know for
certain whether the message is spam," said Laura Yecies, senior
director of mail products at Yahoo.
Yahoo is championing the use of so-called "domain keys", which
use public key encryption technology at the domain level to verify
the sender of e-mail messages.
Using domain keys, internet service providers (ISPs) can allow
authenticated e-mail messages to bypass spam filters, freeing up
resources to interrogate unauthenticated messages, she said. Unlike
similar services offered by certificate authorities such as
VeriSign, domain key technology would be offered for free and
available to even small online businesses.
However, there must be widespread adoption of the domain keys
model in order for it to be effective in stopping spam. Yahoo is
working on a proposal to implement an authentication system in
conjunction with the top six ISPs, she said.
Despite the wealth of legal and technological tools at the
disposal of spam fighters, including a new federal antispam law in
the US, most at the 2004 spam conference agreed that it was
unlikely spam would be wiped out anytime soon.
Paul Roberts writes for IDG News Service