Mike Lambert introduced the meeting and presented the results of The
Open Group Spam Survey, carried out to establish a baseline for decisions on future
work. The major findings were:
- Spam is a major problem to most organizations.
- Most organizations believe that managing Spam is their responsibility, but want ISPs
to do more.
- False positives are a concern to most organizations.
- There is little expectation that legislation will have a significant impact.
- Reliable authentication of the sender or sending organization of email is the
highest priority capability.
- The ability to segment email by content type is also seen as important.
Dale Johnson, from Johnson Consulting, acted as moderator for the remainder of
the meeting.
In a presentation that bridges between the earlier session on S/MIME Gateway
Certification and managing Spam, John Thielens, of Tumbleweed, addressed the topic
of Key
Distribution in DNS, describing a proposal that is currently under consideration by
the IETF MARID working group. This stimulated a lengthy discussion about the role of
domain signatures later in the meeting.
Dean Richardson from MessageGate described the range of techniques currently
being used in products to assess whether an incoming message is likely to be Spam and
announced an initiative to work on mechanisms for real-time abuse reporting between ISPs
(to be done in collaboration with the IRTF).
In a presentation entitled The
value of RBLs/Client SMTP Validation, Doug Otis from MAPS described the
evolution of Real-Time Block Lists and introduced the Client SMTP Validation (CSV) and
Bounce Address Tag Validation proposals which have been submitted to the IETF MARID
working group.
John Leslie from John Leslie Consulting, provided more technical detail about
the benefits of Client
Server Validation and how it would work.
Nathaniel Borenstein, from IBM/Lotus, opened the second day of the meeting with
a provocative keynote entitled So
Many Good Ideas. So Little Co-operation. Describing the broad range of measures under
consideration, the key message was there is no simple solution to Spam; addressing Spam
will require a long-term commitment, a willingness to co-operate, and agreement on
standards.
Craig Spiezle, from Microsoft in a presentation entitled Canning
Spam, the Good, the Bad, and the Ugly outlined the work of the Safety Technology and
Strategy Group in Microsoft in addressing Spam. He discussed the 3Ps of Spam control:
Proof, Prevention, and Protection and briefly introduced the concept of Sender-ID. He
identified some of the groups that Microsoft is working with, including the Anti-Spam
Technology Alliance (ASTA).
There then followed a number of short presentations describing the work of other groups
in addressing Spam:
- Ken Beer, from Tumbleweed, spoke about the Anti-Phishing
Working Group, an industry association focused on the elimination of identity theft
and fraud arising from email spoofing.
- John Levine, from Taughannock Networks, and chair of the IRTF/ASWG described the
IRTF's Anti-Spam
Working Group. In the presentation he called for more experimentation to test the
likely effectiveness of proposals such as CSV and Sender-ID and identified a potential
joint activity with The Open Group to "help stamp out broken mail software". The
active sub-groups of ASRG are addressing:
- Abuse reporting
- Filtering standards
- Best current practices
- Identity, Authentication, Reputation (IAR)
- Peter Soltez, from PAS-COM in a presentation entitled Managing
Spam and Related Policies introduced a position paper on Spam produced by the IEEE_USA
Committee on Communications and Information Policy. His conclusions were
- The “cocktail” solution appears to be the most effective in fighting Spam.
- Start in the USA and then work with international groups and individual countries to aid
in reducing Spam.
- Set up legislation to allow monetary damages and disconnection of domestic and
international spammers and their cohorts.
- Define new standards for email on the Internet.
- Work on newer and better email clients that enforce a “standard” for opt-out,
keys, verification, and other required formats.
Des Cahill from Habeas talked about The
Role of eMail Reputational Services building on the experience of Habeas in
introducing such a service. In closing, he declared a willingness to talk to others about
the right solution and summarized his presentation:
- Email reputation services are necessary.
- War on Spam is a cold war.
- Authentication standards are not enough.
- The right ERS system has yet to be offered to the industry.
At this point, Nathaniel Borenstein led a discussion on the use of digital
signatures at the domain and provided information about a BOF he is planning at the
upcoming IETF meeting in August 2004. The objective is the creation of a charter for a
working group to develop extensions to SMTP/SMIME to:
- Convey the existence of signature
- Identify and provide the public key of the orginator
- Define what in the message is signed
- Define how to deliver signature with message
Definitely not in scope are:
- Address based authentication (left to MARID)
- Rating and reputation services
Fuller details of this discussion appear in the minutes of the meeting available to
meeting attendees and members of The Open Group Messaging Forum.
One issue that did come out of the meeting was the plethora of overlapping activities
and the need for an "Association of Associations" to provide some co-ordination
and avoid the need for all companies to be members of all associations.
The final part of the meeting was devoted to the subject of Sender-ID. Meng Weng
Wong of Pobox.com with Craig Spielze and George Webb of Microsoft
jointly presented an analysis of the Sender-ID proposal, which represents the merging of
two different approaches (SPF and Caller-ID). The slides from this session are not
available. There are links below to additional information.
There are three elements to the Sender-ID suite:
- Sender Policy Framework (SPF) - A TXT record added to the DNS that defines which
IP addresses are permitted to originate email for a domain.
- Purported Responsible Address (PRA) - Describes how a conforming Mail Transfer
Agent (MTA) must respond when processing an email message in the presence or absence of an
SPF record.
- Submitter Optimization (SO) - Defines a mechanism to validate the sender
information in the SMTP envelope to allow rejection of email before transmission of the
message.
These three specifications will all be submitted to the IETF MARID group for approval
in August and are being deployed in products now.
Fuller details of the discussions surrounding this presentation are included in the
meeting minutes available to meeting attendees and members of The Open Group Messaging
Forum.
Mike Lambert proposed a certification
program to help with the deployment of Sender-ID. Possible areas for certification
include:
- SPF records (potentially with a link to a Reputation Service)
- MTA software
- Services that use MTA software
