Freeing the Internet from Spam: Opt-In, Filtering and Other Approaches

2003 L-Soft Sweden AB

Freeing the Internet from Spam: Opt-In, Filtering and Other Approaches

Eric Thomas, CEO

L-Soft Sweden ABwww.lsoft.se

IP-dagarna

19 November 2003, Stockholm


Overview

History in short

Today

How do we clean spam from the

Internet?

Q&A


The world’s first spam?Date: Tue, 28 Jun 88 12:08:00 SETFrom: xxxxxxTo: Eric Thomas - LISTSERV - <ERIC@CEARN>, (...)

This mail is sent you by a group of researchers of the Italian National Council (C.N.R.), working at the CNUCE Institute, in order to wake up the sensitivity of people working in the scientific institutions about the extremely serious problem of the pollution in the world.

As you certainly know, the hole in the ozone, the "hot-house effect", the acid rains and the toxic waste are disasters provoked by man by using the Nature as a "never-ending" resource. Everybody can verify other effects of the pollution, in the cities, in the seas, in the rivers, etc.

We think that the scientific community must create an opinion movement able to force some decisions at political level. We think we are still in time to do something to save Nature with the help of everybody. (...)


The world’s first spam? Date: 28 of June 1988 Sent to 138 network engineers + an

email list with 50 more recipients The purpose was to “save the world” No relevancy for the recipients The sender was a female scientist in

ItalyIs spam an European invention?


History in short 1988: The world’s first spam in Italy? 1994: “Green Card Lawyers” and “Make

Money Fast” 1995: 2 million email addresses for sale;

first spam filter for email 1997: 80 million email addresses for sale 2000: Nigerian scam 2001: 210 million email addresses for sale Old problem; the spammers get better and

more sophisticated every year


Today – hard facts Enormous amounts: 50 percent of

email traffic is spam Enormous costs: € 2.5 billion in

Europe, $ 9 billion in the US (2002) Increasing like an avalanche The trust for email and the

Internet is being hollowed outEnough is enough!


Trends

Source: eMarketer Daily, Issue 206, 2003


The challenge Without filtering we are drowning

in spam With filtering we risk missing

important messages Opt-in rules are new and only

apply within the EU (so far) The spammers move “off-shore”


What to do?The recipe for a cure has 4

ingredients:1. Legislation2. Education3. Technical solutions4. International cooperation


DN, Right or Wrong?

Källa: DN.se, 04.11 2003


IDG, Web Question:

Källa: IDG.se, 29.10 2003

“What is Your Opinion?”


Legislation EU: the world’s first opt-in zone

since 31 October 2003 US: “Can Spam Bill” & opt-out Japan: opt-in has given effect Australia: opt-in next step Will US be alone with opt-out?

"Combating spam has become a matter for us all and has become one of the most significant issues facing the Internet today. It is a fight over many fronts. The EU, Member States, industry and consumers all have a role to play in the fight against spam both at the national and international level. We must act before users of e-mails or SMS stop using the Internet or mobile services, or refrain from using it to the extent that they otherwise would.”

Erkki LiikanenEuropean Commissioner for Enterprise and the Information Society


Directive 2002/58/EG (12 of July 2002)

Article 13: Non-requested communication

”The use of [...] electronical mail for direct marketing may only be allowed if the subscriber in advance has given

his or her consent.”


The EU directive, article 13 – three demands1. Opt-in i.e. consent. Exceptions:

• Legal persons (B2B)• Existing customers when companies market

equivalent products

2. Legible sender and sender address3. It should be easy and free of charge to

unsubscribe from future mailings Applicable since last day in October,

2003 in all states within the EU. Sweden is delayed!


“Can Spam” Allows opt-out Forming a “Do-Not-E-mail registry” –

dangerous!The spammers will:1. Follow the law and respect the “Do-

Not-Email registry”2. Campaign for governor of California3. Spam the “Do-Not-Email registry” and

thank you for the free email addresses


A good root password?

gbush


An uncrackable email address?

[email protected]


Scale of penalty for spamming Japan:

• Up to two years in prison• Up to $25,000 for private persons, up

to$3,500,000 for companies

US: varies heavily but often very tough


Scale of penalty for spamming Italy:

• Six months to three years in prison• Up to € 90,000

Sweden: not decided• Probably no prison penalty• Lost time has to be compensated• Is the penalty cheaper than buying a stamp?

1 000 affected employees × 2 sec =33 minutes in total =

250 SEK


Education A very important part of the work where

everyone can help/contribute:• Consumer: never buy anything if you don’t

recognize the sender• Company: opt-in is the only praxis that will

not hurt your reputation and trademark

Unexpected need for education in SwedenThis is our common responsibility!


Technical solutions The challenge: Almost no “false

positives” can be tolerated (1 in 10,000?)

Today: approx. 90 percent of the spam can be filtered without risk

If we succeed filtering too much the spammers will fine tune their routines


Bad technical solutions Simple filters searching for 18,

weight, FREE etc. “ADV:” Block port 25 for all clients “Challenge-Response” Black lists (too much chaos today) “Make mail cost” proposals


Two interesting techniques Signature identification

• Reliable techniques – like antivirus• Extremely low “false positive”

Bayesian filters• Very effective• Self-learning• Very complex – totally unintelligible

to “regular” users


Bayesian filters Works best on individual level Subtle and hard to understand:

• Kalle knows Spanish but normally he just uses Swedish and English at work

• All Spanish emails are in reality spam• When a client writes in Spanish the

filter has learned that “everything written in Spanish is spam” and therefore it deletes the message!


Future vision It will get worse before it gets better:

• The laws congregate towards opt-in, with the exception of US and their strong lobbies

• US stands for >90 percent of the spam; they talk a lot about spam but in reality they have other priorities

• Almost everyone gets protection against spam, both in central mail servers and in the email client (Bayesian filter?)

• Engineers waste more time on spam, without success


Future vision At some point US will go from

words to action In the long run they will have to go

with opt-in; the EU may play an important role

Spam remains but is being limited, as chain letters were in the 1980’s


For more information About opt-in within the EU:http://www.lsoft.se/news/optin2003-eu.asp

Click on “L-Soft’s comments” to download the white paper

About “Can-Spam Act”:

http://www.lsoft.se/news/optin2003-us.asp

http://www.lsoft.se/news/optin2003-eu.asp










Freeing the Internet from Spam: Opt-In, Filtering and Other Approaches

Documents

Transcript of Freeing the Internet from Spam: Opt-In, Filtering and Other Approaches