Brad Shimmin here, reporting to you live (literally via a handy Wi-Fi connection) from the Next Generation Networks Conference in Boston, Mass. I plan on attending a number of sessions over the next two days, taking notes as I go and sharing those here. I hope you find them useful.
First up is "Anti-Spam: Analyzing the Alternatives," which sounded like it would yield a good mix of approaches to squashing spam, pairing the CEO of anti-spam vendor Barracuda (which won our recent review) with a scientist from VeriSign and the Cyphertrust CTO. Dave Piscitello moderated this panel. He's the technology evangelist with MediaLive International, although the materials from the show have him down as a telecommunications evangelist.
Dean Drako, president of Barracuda Networks, gave a very, very short presentation that focused on the Rate Limit Approach to spam, naming the following pros and cons:
- Defends against DOS/DHA attacks, zombies/open proxies
- Makes high-volume spamming a lot more difficult
- Primarily effective against "attacks"
He then went on to discuss spam statistics, which were pretty self-evident. Next...
Dr. Paul Judge, CTO of CypherTrust, talked about spam epidemiology, which certainly sounded highbrow if nothing else.
According to Dr. Judge, there are a number of motivations for spamming: Fun, Challenge, Prestige, Profit. The guys going for profit focused upon very specific attacks and techniques, while the "script kiddies" out there tried their hands at a broad spectrum, including port scans, DoS attacks, viruses, phishing, etc.
Primarily, though, most people send spam to make money. What makes e-mail attractive to us also makes it attractive to spammers. Both have products and potential customers. To send an e-mail message, it costs 0.0005 cents per. So they can live with one person in 1,000 as a response rate and still make money. This is supposedly the business model in mathematical formula used by spammers.
Anyway, for Dr. Judge, the solution is easy. How do you make it go away? You make it no longer profitable. And you create deterrents strong enough to make this business model no longer viable.
I found the following stat very interesting (OK, terrifying).
Spam attacks have a response rate of way less than one percent. But
phishing attacks have a response rate that's about 3.5 percent. That's what happens when you gain someone's trust.
Lastly, here's Dr. Judge's 30,000-foot view of how anti-spam techniques have evolved:
1. First we simply dropped suspect messages
2. Then we realized that false positives were bad, so we quarantined messages
3. Now we're recognizing that we can and perhaps should actively respond to suspect messages, working against the spammers where possible.
Dr. Phillip Hallam-Baker, principle scientist at VeriSign, talked about authentication and accreditation--not surprising as an employee of VeriSign.
For Phillip, the problem stems from a lack of accountability, which we'd lost when the Net was a small, academic network. So instead of focusing on the bad guys, let's focus on the good guys. "How can I prove that you should read my e-mail?"
He's created the Aspen Framework. Today, we are mistakenly demanding accountability through blacklists, but they're not exercising accountability themselves. First to do is to authenticate the sender, to prove you are who you say you are. This is pretty easy for individuals, but where large organizations are concerned (as in phishing attacks), the problem is more complex. For that we need a much more robust authentication system.
There are two approaches at VeriSign.
For users: Sender-ID (which will soon be renamed), also known as SPF. This uses DNS records to publish IP addresses of legitimate e-mail originators.
For anti-phishing: Cryptography and digital signatures. So you want to directly authenticate the e-mail source. But then we need accreditation on top of this, so that we can be sure there's an actual business on the other end of the line; it's knowing something about the sender that makes you trust the sender.
VeriSign's approach to identity today stems from its Verified Domain List (VDL), which is a list of legitimate SSL certificate holders that the company makes available for free to anti-spam vendors. VeriSign will let private individuals hook up with this in the future.