CAMBRIDGE, Mass. – Nearly 600 IT professionals, researchers and self-described hackers packed a dingy lecture hall at the Massachusetts Institute of Technology on Friday to debate approaches for repelling e-mail spam.
While audience members snorted about Viagra and other common spam subjects, speakers at the first Spam Conference criticized the use of DNS blacklists, a common spam-fighting technique for enterprises. Instead, many speakers boosted Bayesian content filters as a better way to fight spammers' dirty tricks.
IT administrators, however, could find that Bayesian filters, though they may produce fewer false positives than blacklists, are still a bad idea for the enterprise.
"Bayesian filters work only for individuals, not groups," said Steve Atkins, a partner at Redwood City, Calif.-based Word to the Wise LLC, which helps Tier 1 ISPs and other companies manage abuse desk complaints. "And they require more technical expertise than most end users have."
Bayesian filters assign spam probabilities to individual words in an e-mail. The filters can be taught to quarantine messages that use jumbled, meaningless words, or words with numbers instead of letters -- for example, V1DEØ -- to avoid detection. The filters are apparently accurate. Spam Conference organizer Paul Graham presented a Bayesian filter that he says is 99% effective against spam, with near-zero false positives.
But Bayesian filters require constant maintenance to keep up with new spamming techniques, including the use of HTML. Hackers acknowledge they are already in a game of one-upsmanship with spammers.
"There are some very clever people creating spam," said New York-based programmer John Graham-Cumming, who is the author of POPFile, an open-source Bayesian e-mail classification system. "They deserve our respect."
IT administrators at the conference, however, were feeling less charitable toward spammers. They said that abusive spammers, who burden corporate networks and diminish worker productivity, deserve to be punished.
"Anyone who is making money by trespassing and stealing resources is not deserving of any form of respect," said John Payne, network architect at Cambridge-based Akamai Technologies Inc., a Web content delivery service provider.
Payne is also an e-mail and domain name system (DNS) expert for Sackheads.org, an online community of system admins. While bulk mailers may deserve some protections under the law, he said, spammers who use open proxies, bogus opt-out addresses and other forms of subterfuge should face legal penalties. "Free speech should be free," said Payne. "It shouldn't come at a price to the rest of us."
Payne's call for legal action against spammers was echoed by another conference speaker. Paul Judge, director of research and development at Alpharetta, Ga.-based CipherTrust Inc., said that blacklists and filters alone are not enough to take down large, well-funded spammers. "You need the backing of legal protections, to go out and prosecute [large-scale spammers] who try to circumvent your technology," Judge said.
Until governments step up their enforcement efforts, however, IT administrators will be fighting spammers on their own. And Word to the Wise's Atkins said blacklists remain the best tools corporations can use to fight spam. He is especially keen on Spamhaus, a real-time subscription database for e-mail servers. Spamhaus lists the "IP addresses of verified spammers, spam gangs and spam services," according to the Spamhaus Project Web site.
Admins may also want to try a little social engineering with spammers, said John Draper, co-founder of Patterson, Calif.-based ShopIP Security Solutions Inc., which develops network firewalls. Draper is also known in the hacker community as "Cap'n Crunch" for his phone company hacking activities during the 1970s.
"You can start by telling a spammer you've discovered a security flaw," said Draper, "and that will get their attention. Then you can ask them, 'What can I do about all this spam I'm getting?' "
Still, hackers at the Spam Conference predicted that Bayesian content filters may eventually become fully self-sustaining, anti-spam systems. At the conference, researchers from companies like IBM Corp. declined to comment publicly about such filters but nonetheless seemed eager to talk with hackers about them.
Joseph McDonagh of Lowell, Mass., a high school student and self-described hacker who attended the conference with a hacker friend, mused about the promise of Bayesian filters while fielding job offers from software developers. "If the system can be made to learn on its own, without teaching, and become 100% efficient," said McDonagh, "you could stop worrying about the game, because it wouldn't be a game anymore."
FOR MORE INFORMATION: