RIPE 52

RIPE Meeting: 52
Working Group: Anti-Spam
Status: Approved
Revision Number: 1

Chair Rodney Tillotson
Scribe Arife Vural, RIPE NCC


A Administration

Thanks to our scribe.
Co-chair not able to be present.
About 30 participants.
Jabber presence and audio webcast set up.

As a priority item we considered updating RIPE-206, BCP for
ISPs on preventing UBE from their own networks.

Agreement that Rodney can start the Policy Development
Process with the draft document made available that is very
close to the current LINX one.

Register proposal, then circulate to list;
comment period 4 weeks.
Last call, a further 4 weeks.

It should then be possible to publish the update.

It is important to get this simple task done without further
delay.

We can take more time to improve on the advice after that;
there were some expressions of interest and a suggestion
that it might be best to produce two separate documents, but
no firm offers to do the real work needed.


B1 Developments in abuse

Nothing striking.
Social engineering continues to become more sophisticated:
Phishing is still effective and we remembered
Danny McPherson's comment in an EOF talk earlier about
"spear phishing" in which a machine in a merchant's network
is compromised and specific transaction data used to
increase the chance that a consumer will reveal card or
other details.

Header forgery in some abuse messages is good enough to make
the work of an abuse desk difficult.
Some abuse messages are made to look like mail system
bounces or notifications.

Rodney asked whether anybody had noticed an overall increase
or decrease in the amount of abuse mail in their network or
mailbox.

Roland Perry: less spam lately to his real e-mail accounts,
but an increase in traffic for invalid
mechanically-generated addresses.


B2 Developments in anti-abuse

Litigation

No recent spectacular prosecutions.
The Nigel Roberts case in the UK was interesting because
although the amount of compensation involved was small,
there have been no similar cases in the UK where anti-spam
laws are considered relatively ineffective.

Internet Governance Forum

Jay Daley explained that the purpose of the IGF was to
prevent the ITU from taking control of the Internet.
Roland has a short slot in RIPE NCC Services WG. Spam is
certain to be on the agenda for the first meeting of the IGF.
http://www.ripe.net/ripe/meetings/ripe-52/presentations/ripe52-nccservices-ncc-public-affairs.pdf

The anti-abuse industry

Recent Press coverage about the partnership between Goodmail
and AOL has been mainly hostile. Jay pointed out that
Goodmail make a financial commitment to the quality of their
customers so have some credibility; but not everybody was
convinced that consumers or smaller ISPs would benefit as
much as these big players.


C Technical measures

C1 Filtering

Roland described difficulty he had seen with online
purchasing (of air tickets, in his case); that the
confirmation messages were too often full of HTML, which is
an easy target for any filtering engine and results in false
positives.

C2 Sender authentication

No updates on SPF or DKIM.

C3 Bounce suppression

Rodney described how bounces to forged originators are a
problem in his environment, and how it is important to
eliminate them as far as possible. Early rejection is best
(using call-ahead or database copies); where it's not
possible, operators might consider checking the incoming
message before sending each notification.

D Interactions

DB WG, confirm status of IRT objects, "abuse-mailbox:"
attributes and default whois output.
[This was raised at the DB WG. Documentation has not kept up
with changes implemented by RIPE NCC.]


X AOB
Robert Seastrom: access to mail system logs very quickly
identifies bad users or systems inside the network as well
as some problems from outside.