ISACC Task Force on Spam. Assessment of Certification

Transcription

1 ISACC Task Force on Spam Assessment of Certification Industry Canada May 2005

2 Executive Summary has become one of the most important tools for Internet users both at home and at the office. It has also become an important tool for companies conducting their business. is fast, reliable and easy to use. The cost of sending an is very low. All of this has lead to s popularity increasing dramatically. With the increase in the number of accounts, businesses have realized that they can communicate with many of their clients through , which lowers the costs of this communication. The popularity, ease, and low cost of , have, unfortunately, fostered the growth of spam. certification is a tool that has the potential to prevent legitimate (i.e. solicited) commercial from being filtered out by spam filters. The end user of certification is anyone who sends solicited commercial (SCE) to a recipient. The sender may be ing a marketing product, a newsletter, or any other commercial that the recipient has asked to receive. The goal is to improve the deliverability of this . This document is intended to describe the principles and methodologies of certification. Further study is required to investigate whether certification is a viable option for controlling spam on a national and international level. The development of standards in this area should be led by the groups that have vested interests in combating spam. Some concerned parties, such as marketers or commercial ers, have a vested interest in having their SCE arrive in a recipient s . Other concerned parties, such as service providers, have an interest in reducing the amount of spam complaints from their clients and reducing spam s effect on their network infrastructure. Government s role is to monitor the development of anti-spam standards, in order to ensure that the public is well represented when standards are being developed by these interested parties. The Working Group on Validating Commercial believes that certification is worthy of further study as an evolving approach to improve the deliverability of legitimate . Further investigation is required into the potential costs of a certification regime. Canadian industry will have to further investigate the various methodologies to determine which, if any, would be most suitable. Coordination with international standards-development organizations would be beneficial in the international implementation of a certification regime. This document is divided into two sections: Commercial Certification Principles and Certification Methodologies. 2

3 Commercial Certification Principles Introduction This section is intended to describe the principles of certification. It puts forward a series of broad principles that should make up the framework of any certification methodology. Study is required to determine the related feasibility and implementation issues, including costs. Understanding the Problem Because of its volume and its sometimes offensive nature, spam, also known as unsolicited commercial (UCE), has become a major problem for both Internet users and companies that provide Internet services. UCE can be anything from annoying to destructive. For individual recipients, spam can be overwhelming and, depending on the sender s intent, deceptive, fraudulent, obscene, or illegal. For those companies involved in facilitating the sending, delivery and receipt of , the costs of handling enormous quantities of unwanted are potentially crippling. If left unchallenged, spam will also continue to undermine public confidence in the reliability and value of communications and the Internet. While for commercial purposes can be highly effective and cost-efficient, some organizations are concerned about the continued efficacy of the channel because of deliverability issues. The current volume of spam is creating direct or indirect extra costs for all players in the chain of Internet communications. For this reason, a certification regime may be one option worth exploring as a way of ensuring the unimpeded delivery of legitimate . Goal of Certification As a side effect of the large volume of spam, a significant amount of SCE is being filtered out by service providers spam filters. The goal of using certification is to improve the deliverability of legitimate . Certification will provide a way by which messages can be identified as legitimate. The spam filter would recognize SCE by a certification assertion, and allow it to pass through to its intended recipient. All other would be processed as it normally would by the service provider. In this way, sender-certified would bypass the spam filtering process and have a greater likelihood of being delivered. Certification is intended to increase the deliverability of legitimate . It should not block or impede legitimate -marketing communications; it should not unduly 3

4 increase direct or indirect costs for organizations or consumers; and it should be easy to adapt to the requirements of diverse organizations and individuals. International interoperability between certification assertions would be desirable. Note that these principles only deal with certification, not authentication. Authentication is currently being discussed within other international standards bodies, such as the Internet Engineering Task Force. Basic Principles The basic principles of a certification process are as follows: 1) A certified message should be distinguishable from a non-certified message, or a message should contain a certification assertion as proof of its certification. 2) A certification assertion should affirm the legitimacy of the message, i.e. that the sender has undergone the necessary process to substantiate the message. 3) The issuer of a certification assertion should be capable of validating that the assertion is in good standing. 4) A certification assertion should be secured against fraudulent use. 5) The certificate issuer should be able to revoke a certification assertion. 4

5 Certification Methodologies Introduction The purpose of this section is to describe some of the common certification methodologies that could enable an service provider to recognize SCE and pass it on to its intended recipient, bypassing the spam filter. The methodologies described are not exhaustive, but are commonly referenced. Since the intended audience of this document is both technical and non-technical, the methodologies will be described in general and non-technical terms. Unfortunately, some individuals and enterprises have gathered addresses without users permission. s sent to these addresses are, therefore, considered unsolicited. A process called harvesting automatically collects these addresses by scanning websites for addresses. Some enterprises then sell these lists of unsolicited addresses. Because of the low cost of sending an , it has become cost-effective for enterprises to buy these lists and send to these addresses. Since the addresses on the list have not been solicited, sent to them would be UCE, commonly known as spam. service providers have started to use spam filters to block that is deemed to be UCE. This has created the problem of some legitimate SCE also being filtered out. Note that some of the following certification methodologies dealing with this problem have applications that are commercially available, while others are only theoretical. Methodologies White Lists / Black Lists This is by far the most widely used system in the certification field, although not all white lists fall into the certification category. A white list is a list of senders who only send to recipients who have requested it, but several different variations of white lists exist. The basic premise behind white lists is quite simple. A list of known legitimate senders network addresses is maintained by an service provider. When a new arrives, the sender s network address is compared to the list. If there is a match, then the is deemed legitimate. The is then rerouted to bypass the spam filter and is passed on to the intended recipient. If the check fails, then the is sent to the spam filter for further analysis. The filter then makes a determination as to the status of the , which is either rejected as spam, or accepted as legitimate and passed on to the recipient. A black list is made up of senders that are known to send UCE. Generally, from senders on these lists is blocked or rejected by the recipient s service provider. The black list is the opposite of the white list, in that it records illegitimate 5

6 senders. Known network addresses of computers that send spam are put on a black list, and sent from these addresses is usually blocked. There are several variations on these methods, including reputation systems. Reputation Systems A reputation system is a rating of a sender s ing practices. The details of what specifications are included in a reputation system depend on the particular company implementing the system. Normal rated attributes could include a history of reported UCE over a period of time, best practices implemented by the sender, and the certification or authentication practices they use. service providers maintain reputation lists made up of valid network addresses from which they have previously received s. When an service provider receives s from a new sender, it creates a reputation profile. If the service provider doesn t receive many complaints of UCE, then the sender s reputation improves and its network address is put on the white list. If complaints are received that the incoming s from the sender are spam, then the sender s reputation deteriorates. When its reputation drops below a certain level, a sender is deemed to be sending excessive amounts of UCE and is placed on the black list. Product Examples Habeas Habeas offers a white list-certification service. The certification process generally involves researching senders to ensure that they are not known to send spam, and verifying that senders are legitimate. Habeas then certifies that originating from the particular sender is not spam, and adds the sender s network address to its white list. The white list is then distributed to service providers. The sender can then add a Habeas Warrant Mark to the header of its . When an contains this Warrant Mark, the sender is warranting that this is a Habeascompliant message. The Warrant Mark also contains a haiku (poem) that is copyrighted by Habeas. As a result, if a sender puts a Habeas Warrant Mark into an that is not Habeas-compliant, then they will be subject to both copyright and trademark violations. When service providers receive an , the sender s network address is compared to the white list; if it matches, then it bypasses the spam filters and is delivered directly to its recipient. Users who believe they have received UCE can complain to their service providers, which will forward the complaint to Habeas. Bonded Sender Program Another variation on the white list involves senders putting up financial bonds ensuring the they are sending is legitimate. For the purposes of this document, a bond is defined as a sum of money used to protect against a claim. The bond would be held by the certification company, and the sender s network address would be added to 6

7 the certification company s white list. This white list would be made available to service providers. IronPort s Bonded Sender Program uses this method. In order to be accepted into the Bonded Sender Program, a sender undergoes an audit and is verified. Recipients who believe the they have received is UCE can submit a complaint to their service provider. The provider forwards the complaint to the Bonded Sender Program. If the Bonded Sender Program receives a significant number of complaints about a sender s UCE, money is deducted from that sender s bond. The sender would also be notified that those recipients don t want to receive messages from the sender. The threshold for the number of complaints before deduction, and the reduction amount of the bond, are set out in the bond contract between the sender and the certification company. After a certain length of time, the bond is returned, less any penalties. Cloudmark Cloudmark uses a rating system feedback method that allows users to identify spam. When enough users complain about a particular message, Cloudmark filters the as spam for all users. When Cloudmark receives an , the likelihood of the message being spam is determined, and the is given a rating. The higher a message s rating, the more likely it is spam. Cloudmark also rates its users based on how accurate they are in identifying spam (versus identifying they simply don t want as spam). When a user with a higher rating identifies an as spam, more emphasis is placed on the spam report. Solicited commercial ers can register with Cloudmark to ensure delivery of their legitimate commercial . The method is based on both a white list and the Cloudmark rating system. ers can also use Cloudmark to find out how Cloudmark recipients view their . When SCE is sent, the sender can add Cloudmark to its recipients list. Cloudmark will then track, and provide statistics on, how the rating system rates the , how many users identified the as spam and the number of inboxes to which the message was delivered. This provides useful feedback for the sender. The reputation generated by the Cloudmark rating system can also be used to validate the Sender ID authentication system. Institute for Spam and Internet Public Policy The Institute for Spam and Internet Public Policy (ISIPP) maintains the ISIPP Accreditation Database (IADB). The IADB is a list of senders network addresses. The list has two types of senders listings: vouched and nonvouched. The vouched listing contains the network addresses of senders who are personally known to ISIPP and are known to have sound practices, while nonvouched listings are based on reference checks of the senders. ISIPP recommends that the IADB be used in conjunction with an authentication system to help its users make informed decisions about the validity of . 7

8 Senders participating in the IADB must abide by a strict set of rules governing their practices in order to be accepted into the program. The IADB contains a code that describes the sender s attributes, such as what antispam programs they subscribe to (e.g. Bonded Sender Program, Habeas, etc.), whether they are ISIPP-vouched, whether they use sender policy framework or Sender ID, and other anti-spam information. E-Postage Stamps The premise behind e-postage stamps is that if a sender believed a recipient would value an , then the sender would be willing to pay to send it. A sender would probably not be willing to pay for a postage stamp for ing UCE, so this spam would be eliminated from the recipient s mailbox. A sender would purchase electronic stamps and attach them to outbound s. The recipient s application would only accept messages with a stamp attached. A recipient could create a list of known senders from whom they would accept without stamps attached. s not read before a certain length of time would be returned to the sender who would be returned the value of the stamp. Stamps would have to be issued by a recognized financial institution. Stamps inserted into s would have to be secured against fraudulent use. Variations on the e-postage concept include having recipients only accept messages from a sender when the stamp is greater than a certain monetary value. The e-postage method is generally thought of as impractical, and would be extremely cost-prohibitive to roll out. Concerns surrounding this method include those about who would issue the certificate and who would receive the payments. Some proposed methods would have the recipients receiving the payments. This particular method would pose several problems, in that users could subscribe to SCE just to receive stamps. The cost of the infrastructure required to issue, maintain and verify these stamps would be prohibitive in just one country. When international borders are taken into consideration, different currencies would become an issue, and the cost of collecting and verifying stamps would increase. Computational Stamps The concept behind computational stamps is that computer, or CPU, time costs money. Computational stamps are based on the premise that a user would be willing to have their personal computer run through a certain amount of complex computations before sending an message. Since computing time costs money, anyone sending spam would have to pay more, through increased computation time, to send an . 8

9 A certification assertion would be placed in the to show what computations had been performed. The computations would have to be verifiable by the recipient. The amount of CPU time spent by a regular user receiving a nominal number of s would be minimal. A sender that s thousands of UCEs, however, would have to spend a great amount of resources to compute the stamp for each . The computational-stamp method has several flaws, however the first being that the computational abilities of computers are increasing quickly; what takes four seconds to compute today might only take one second next year. Senders of UCE could just buy more powerful computers to run the calculations faster. Second, computational stamps would also put senders of SCE at a disadvantage, by raising their costs along with the spammers. Conclusion The list of methodologies mentioned in this section has been for discussion purposes only. More study would be necessary to further analyze the existing products to determine whether they fully meet the requirements of an anti-spam certification program. References AOL, Bonded Sender Program, IronPort, Peter G. Capek, Barry Leiba and Mark N. Wegman, IBM Thomas J. Watson Research Center; and Scott E. Fahlman, Computer Science Department, Carnegie Mellon University, Charity Seals, Antispam Project, Cloudmark, Habeas, Hashcash, Institute for Spam and Internet Public Policy, John Levine, Taughannock Networks, An Overview of E-Postage, June 2003 (Updated February 2004), Microsoft Corporation, 9

10 François-René Rideau, Stamps vs. Spam: Postage as a method to eliminate Unsolicited Commercial , 10