LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
Features: CEAS Spam Conference
Posted by Rebecca Bolin on Thursday, August 12 @ 15:30:56 EDT Spam
I went to the Conference on Email and Anti-Spam last week, and after this great write-up I delayed my write-up, but I do have some to say about this great conference. Read on for my notes...

I agree that this conference was great fun. There was a wide array of e-mail professionals--my guess is only 5% lawyers--interested in what everyone else was doing. This conference was held at the Microsoft Mountain View Campus, and I agree that Microsoft really does know how to feed a conference. However, contrary to popular belief, the Hormel spam was only used as a centerpiece, not actual nourishment. Microsoft's organization was amazing, the weather was great, and the talks were great. In fairness, there was so much going on that I missed a few talks or parts of talks, but I’ve done my best to summarize some talks more interesting to me to give a taste of the diversity of knowledge and ideas at this conference. This should serve as a supplement to other write-ups, more focused on law and policy.

My favorite parts of this conference go to the seemingly obvious paper presented by Jonathan Oliver of MailFrontier, Anatomy of a Phishing E-Mail, and the lively panel on e-mail payment schemes which brought life to the same old debate. I start with these:

Anatomy of a Phishing Email, Christine E. Drake, Jonathan J. Oliver, and Eugene J. Koontz This brilliant presentation used the MailFrontier data to present a barage of chilling mails. He showed fake domains, html tricks, IE tricks, format replication, and some tricks the audience audibly gasped when they saw. The tricks I had never seen included a mini-IE window which only follows the address bar. When you drag the IE window, it follows, masking your location. Another trick brought up a legitimate site and then added official looking "log in" pop-up. These websites and mails were dead on. Oliver claimed they fooled the engineers at MailFrontier. Think you can handle it? Try the easy version of the Phishing IQ Test. I got an 80%, but I took it before this fabulous talk. This speech was extremely frightening. It showed me the importance of filtering to keep these messages out as well as the difficulty in doing so when all links are legitimate execpt one.

Ironically, during this talk, I recieved the PayPal class action notice, which I called as phishing immidiatly. This notice, which links to a dodgy looking website, is actually real. This is no way to certify a class. It's like a mailing that says WIN $1,000,000! and then contains the Blockbuster class action notice inside. As news spreads that this mail is legitimate, I anticipate more "class action lawsuits" asking for data. I wonder if the court even considered this awful outcome when it approved this kind of notice.

After this talk, John Levine made a great comment about external verification. He claims educating consumers about a lock in the corner of their browswers is not enough, and that the FDIC could have an authorization process or symbol for financial information.

Panel: Payment Schemes for Email This panel wasn't exactly surprising. There was really nothing new said on it, but it was good to see this group interact with each other. I think I left this panel with even more questions about the same set of proposals.

Philip Raymond, the CEO of Vanquish, answered a slew of filtering papers with the assertion that filtering will fail, authentication is repressive, and mail systems need something to legitimize despite past bad behavior. He proposed a barrier to entry coupled with black lists and bidding systems. This is a payment scheme, but with quite elegant justification.

Cynthia Dwork, a cryptography expert from Microsoft Research, expanded her proposal first published in 1992. Unknown senders should have to expend effort to send mail. The cryptographic authenitcation must be, automatic and cheap to avoid DoS, and all unsolicited mail is treated equally.

Ambika Gadre, the director of Product Marketing and Information Services at Ironport System (the producer of Bonded Sender.) Her analysis of the Bonder Sender strategy was more overview. A sender enrolls in the program and pledges a bond to the third party, Bonded Sender in this case. If there are too many complaints from users of recievers also in the program (I think it was 10 complaints per million sent) the third party gives the bonded money to an impartial charity. Gadre pointed out that this sytem uses the existing structure, but she has little to say about whether it was actually working. Later, under pressure, she pointed out that very few bonds had actually been cashed, showing the legitimacy of the senders, at least those involved in Bonder Sender.

Brian Wilson, the CTO of MailFrontier (producer of Matador) rejected attaching payments, and showed his proof-of-effort solution. This challenge-response was to count puppies.

Richard Clayton of the University of Cambridge served as the all-purpose naysayer who had to criticize all these very different proposals in fifteen minutes. He did an astounding job, flying through bullet points of criticisms, which I'm sure were a subset of his longer list. His criticism of payment schemes attacked the scale of this project (1200 million e-mail a day), noting that only the phone system had more traffic. Money is hard to translate, will be stolen, and will create a huge system of middle-men. He criticized payments in general; people could end up paying for nothing if a Systems Administrator stole the tokens or if the mail was blocked anyway. How much should I have to pay? Do I have to pay for stolen e-mail?

His attack on the cryptographic solution was weakest, but he was under massive time constraints. He claimed checking tokens is expensive, and it would be hard to orchestrate such a huge system using existing architecture. He applied the same criticisms as to challenge-response. A trial like this could be easily overcome with stolen cycles. Challenge-response systems requiring humans could be outsourced cheaply, he claimed. In the comments, a Yahoo! representative told the same story of the challenge-response being funneled to pornographic website logons.

I regretted that the speakers did not have more time to respond to Clayton.

Larry Lessig's Keynote Lessig produced his signature spam proposal in his signature powerpoint in a form this mostly technical audience could appreciate. He pointed out that technology is needed in this fight but that law can help. His proposal is a strict labeling system coupled with bounties for those who find violators.

This speech was probably pretty interesting for those who hadn't just gone to the ISIPP conference. Lessig's speech would have been a better fit for it, and all the problems of jurisdiction, intelligence, and collecting judgments would have cast doubt on any legal solution.

I was suprised that Lessig left out a critical detail. After blasting CAN-SPAM as being ineffective, he left out that both of his proposals are actually in CAN-SPAM as proposals for the FTC to consider, like the SEXUALLY-EXPLICIT label already in effect. Both are in CAN-SPAM, Section 11. The bounty recommendation from the FTC is due in September; the labeling next June. When I told this to a conference attendee, he actually looked up CAN-SPAM online because he did not believe me. Perhaps Lessig could have pushed for comments on this FTC rule-making or at least mentioned it; instead it looked like the labels/bounties were not even contemplated by CAN-SPAM.

See my write-up of the ISIPP Conference here.

 
Related Links
· More about Spam
· News by Rebecca Bolin


Most read story about Spam:
Consenting to Gmail Spam

Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
  
The comments are owned by the poster. We aren't responsible for their content.

Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die

Contributors retain copyright interests in all stories, comments and submissions.
The PHP-Nuke engine on which LawMeme runs is copyright by PHP-Nuke, and is freely available under the GNU GPL.
Everything else is copyright copyright 2002-04 by the Information Society Project.

This material may be distributed only subject to the terms and conditions
set forth in the Open Publication License, v1.0 or later.
The latest version is currently available at http://www.opencontent.org/openpub/.

You can syndicate our news with backend.php



Page Generation: 0.187 Seconds