How will the work be done?
We will meet three or four times a year during the IETF meetings, but most of the work will be done via the mailing list (we have 500 members so far). How would you categorize the methods companies are using to address stopping spam?
I would say most products are relieving the symptoms of spam. A product can block 90% to 95% of spam. Companies are installing them, as they are [part of] the cost of doing business, but the products do not solve the problem globally. One of the missions of the research group is working to stop spam closer to the source. Is it an IT security issue? If so, why?
The scale and effect suggests that spam is a type of information security problem. It has many properties in common with denial-of-service and network intrusion. Spam is an unauthorized use of resources: bandwidth, storage, processing and people's time. The nature of e-mail causes most of the cost to be assumed by the receiver. It also is a platform for many fraudulent activities. Does the research group view spam as strictly a nuisance issue?
No, actually the charter of the group states that 'the scale, growth and effect of spam on the Internet have generated considerable interest in addressing this problem. Once considered a nuisance, spam has grown to account for a large percentage of the mail volume on the Internet. This unwanted traffic stands to affect local networks, the infrastructure and the way that people use e-mail.' Personally, I've stated these thoughts previously as: 'The scale and effect of the spam epidemic leads us to suggest that spam is no longer simply a nuisance but is a type of information security problem. Therefore, we encourage systematic efforts to understand, analyze and solve the problem.' Historically, how has spam been addressed?
Over the years, the first things people turned to were black lists. A network admin would come up with something himself to address spam. These were ad hoc solutions. The problem was, there were many side effects to black lists. The next step was content filtering, which looked for words such as 'mortgage' or 'Viagra.' Today, there are a number of companies working on different solutions. The research group represents us coming together to solve this problem. What kinds of companies and groups have joined the research group?
We have ISPs, anti-spam product vendors, academic researchers and end users. Will the research group address who in an organization should handle spam prevention? In other words, should the security guys handle it, or is it more the job of the messaging or general IT folks?
The individual in an organization that should be responsible for spam depends highly on the structure and division of responsibilities in a particular organization. Dealing with hundreds of organizations that are customers of CipherTrust, I have seen instances in which spam is handled by the messaging team, the networking team or the information security team. That is because spam is a complex issue that involves a number of components, including technical solutions, deployment strategies and end-user education.
FOR MORE INFORMATION:
- FEEDBACK: Is spam an IT security issue?
Send your feedback to the SearchSecurity.com news team.
Yes and No. Collaboration in the antivirus industry is much more mature than in the anti-spam industry. There is coordination to identify, name, and track viruses. Traditionally, such relationships have not existed in the anti-spam community. We have spearheaded efforts to create those relationships and they are progressing nicely. Anti-spam is quite different from antivirus in many ways. One of the fundamental differences is that in general, people write viruses for sport but spam for profit. Also, spam is more polymorphic than viruses, therefore signature-based system can not be as effective as with viruses. There are a number of other characteristics that make defending against spam more difficult including the lack of legislation to deter spammers. Overall, there are some things that anti-spam researchers can learn from the anti-virus community, but simply applying anti-virus methodologies to the spam problem will not provide a solution.