Yesterday I attended the spam workshop at NIST in DC area. Overall, I had a wonderful time and I would like to highlight some of the more interesting things I heard.
DISCLAIMER: all of this is my personal opinion and does not imply any official position on behalf on my employer, SolidMatrix Technologies, or on behalf of any organizations that I am affiliated with: the Anti-Spam Research Group, IRTF or IETF.
The workshop consisted of four panels: legal, ISP, vendors and R&D. The first panel had representatives from the Federal Trade Commission (FTC), Dept of Justice (DOJ) and Dept of Commerce (DOC) representatives, as well as someone from the CDT. The impression that was provided is that law enforcement authorities are looking into the problem very closely and are going to be pursuing spammers. Among the good things I heard was the increased interest from the DOJ and US Attorneys to prosecute spammers based on criminal provisions of the CAN-SPAM act and better cooperation among international law enforcement. However, there was no word on whether sufficient funding has been provided by Congress for law enforcement activities, and this is a problem especially with the FTC where the prosecutors have no political gain (unlike the US Attorneys). I have also heard through back channels, that no additional funding was provided at all which is not a good thing. There was some discussion about how ISPs can help the DOJ with providing tracking data and I was also not happy with lack of sufficient discussion on privacy implications even though the CDT folks did mention something. The DOJ representative went as far as saying that they cannot ask the private sector for the data but implied that the data would be welcome. The DOJ/FTC folks were also asked about their “wish list” and ability to track down the originating computer was one of the things on the list. While the gap between the computer itself and the actual person that sent the message was mentioned, how such gap is addressed was not mentioned. In the international cooperation arena I liked the fact that LEA in other countries are cooperating better in regards to spam prosecutions. What I did not like is the fact that some of the other countries have lower burden of proof and it was implied that sometimes the US LAE pass on data to be used with that lower legal standard.
The second panel was the ISPs: Yahoo and AOL. This presentation was really good - among the things mentoned was DomainKeys, LMAP proposals (RMX, DMP, SPF, et al.). What I really like about this is the fact that AOL tries to notify ISPs of blocks, and they also automatically retest open relays every 24 hours. I also liked Yahoo’s presentation in regards to the fact that a lot of their anti-spam efforts are based on the feedback from the user via “this is spam” button (AOL mentioned something similar as well). This went really well with the presentation from Richard Segal of IBM Research in the last panel in regards to communications standards between the MTA-based filters and the MUA, specifically for things like “this is spam” buttons.
The third panel was vendors which I really did not like. Many of the vendors seemed to be more eager towards selling their own products, rather then answer more questions to the point where specific vendors were pointing out advantages of their own products over others. The two things that I did like from this panel was the presentation by Verisign asking for more accountability in email and Tumbleweed’s presentation which highlighted the need for outbound and internal spam/problematic email handling, aside from inbound spam. What I did find missing in Verisign’s presentation is the question of how human issues of accreditation and reputation will be addressed - such as how do we make sure that reputation services do not abuse their position like blacklists do today, how such services can reveal more information about their operations without the fear of getting sued, how does the entry barrier for small sites into the Internet community is not raised, etc. However, the overall impression is that accountability is needed which I liked. Tumbleweed’s presentation on the need for outbound and internal email handling brought across an important point of being accountable for your own organization’s email infrastructure in addition to the incoming stuff.
The fourth panel on which I was, discussed R&D. Dean Richardson from the Open Group discussed the general issues of handling spam. I covered the current status of the ASRG including some of the LMAP proposals, and also the need for addressing other non-technical issues such as accountability of ISPs and better communications among ISPs. Patrik Faelstrom from the IAB discussed the need to agree on which communications paths in SMTP are bad and which are good. What I really liked is the presentation from the two IBM research folks: one on filtering/MUA communications and anti-spam standards, and the second on do-not-email lists. It was really important to hear, especially for myself, what role standards play in the anti-spam world and how speed of standardization can be improved. The MUA/filtering communications sounded good especially in light of Yahoo’s earlier presentation. In particular, what was discussed is the ability of the MTA-based filter and the MUA to communicate information between the end-user and the filter, especially for things like “this is spam” button. The second presentation about do-not-email registries, addressed internal organizational opt-out lists and dealing with customers. What I really found very interesting is the ability to encode a specific law or policy in a XML representation and then deploy that policy across the entire organization. I also found very useful the ability to generate a per-email-address report about what exactly that email address was used for.
The ending of the conference was a short 5-minute talks by two NIST division heads, thanking us for coming and also mentioning their budget problems. Unfortunatly, both NIST and the FTC can do so much more if only enough money were available from Congress. But the overall informational content of the conference was very high and I found it to be very good, and worth travelling for.