MIT pushes for more spam-fighting tools

Leading researchers into spam e-mail, along with some of its victims, gathered at the second annual Massachusetts Institute of...

Leading researchers into spam e-mail, along with some of its victims, gathered at the second annual Massachusetts Institute of Technology spam conference last week.

This year's spam conference focused mainly on a spectrum of spam-fighting tools, from the use of authentication to verify e-mail senders, to lawsuits that target individual spammers.

Bayesian filters, which identify spam by assigning statistical probabilities to message content, were again a focus of discussion at the conference. The filters have made it much harder for spammers to get messages through to users, but they have not stemmed the tide of spam.

Despite the wide use of spam filters, 70% of the e-mail messages received by Microsoft's Hotmail web-based e-mail service are spam messages, according to Geoff Hulten, a spam researcher for Microsoft.

"The Bayesian solution is useful, but it just sweeps the spam problem under the rug. The spam is still there clogging up your system," said Keith Ivey of Smokescreen Consulting.

Researchers discussed ways to improve the performance and accuracy of Bayesian filters, such as deploying them on servers rather than on e-mail clients.

However, just as much discussion was given to other techniques that could be used in conjunction with filters, or in place of them.

John Praed of the Internet Law Group said that spam filter writers needed to work with law enforcement agencies to help build cases and bring legal action against spammers.

E-mail providers and law enforcement must also be more savvy about using existing laws to stop activities that support spammers, such as e-mail harvesting from web pages, said Matthew Prince, co-founder of UnSpam.

E-mail providers can include language on web pages that makes address harvesting and other activities illegal. Such technologically simple steps would help cast spammer activities such as address harvesting in terms that courts understand, such as "breach of contract", he said.

Providers could even use provisions of the Digital Millennium Copyright Act (DMCA) to go after spammers by declaring e-mail addresses trade secrets, Prince suggested.

More than one speaker touched on the need to better secure e-mail exchanges, making it harder for spammers to use faked (or "spoofed") e-mail addresses to circumvent antispam technology.

Representatives from Yahoo were also in attendance to talk about that company's support for user authentication to fight spam.

"If you know with certainty who the sender is, you know for certain whether the message is spam," said Laura Yecies, senior director of mail products at Yahoo.

Yahoo is championing the use of so-called "domain keys", which use public key encryption technology at the domain level to verify the sender of e-mail messages.

Using domain keys, internet service providers (ISPs) can allow authenticated e-mail messages to bypass spam filters, freeing up resources to interrogate unauthenticated messages, she said. Unlike similar services offered by certificate authorities such as VeriSign, domain key technology would be offered for free and available to even small online businesses.

However, there must be widespread adoption of the domain keys model in order for it to be effective in stopping spam. Yahoo is working on a proposal to implement an authentication system in conjunction with the top six ISPs, she said.

Despite the wealth of legal and technological tools at the disposal of spam fighters, including a new federal antispam law in the US, most at the 2004 spam conference agreed that it was unlikely spam would be wiped out anytime soon.

Paul Roberts writes for IDG News Service

Read more on IT innovation, research and development