At the fourth annual MIT Spam Conference held in Boston Tuesday, speakers said that while the volume of spam ebbs and flows, the nature of unwanted e-mail is steadily becoming more dangerous.
"The spam problem will get worse, and the reason is phishing," says Bill Yerazunis, senior research scientist with Mitsubishi Electric Research Laboratories, and chairman of the conference. Yerazunis estimates between 20 percent and 30 percent of all spam messages are phishing attacks that attempt to trick recipients into giving away personal or financial information. "For people who aren't 'Net savvy, they could lose their retirement money," he says.
The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he says.
Not only is phishing dangerous for potential victims, but it is destroying large banks and other companies' ability to communicate with their customers in the most effective way, Judge continues. "Some of the most powerful entities on earth can't talk to their customers over e-mail" because phishing has corroded their customers' trust, he says.
As one of the dozen companies, universities, and laboratories presenting papers at the MIT Spam Conference, CipherTrust focused its talk exclusively on the rising threat of phishing. The company on Tuesday announced its PhishRegistry.org site, a service designed to warn legitimate Web sites when they are being spoofed by phishers.
CipherTrust has developed technology that creates a digital fingerprint of a Web site suspected to be bogus, and of the site it is spoofing, and compares the two looking for a match, says Jonathan Zdziarski, research scientist at CipherTrust. Once a bogus site is identified, CipherTrust feeds that information into its Radar anti-phishing service and also posts a notice at PhishRegistry.org, which Zdziarski defines as a "neighborhood watch for your Web site."
Fresh from an IETF meeting last week, Sendmail's Chief Science Officer Eric Allman spoke about the progress being made with DomainKeys Identified Mail (DKIM), a sender-authentication proposal from Yahoo and Cisco that's wending its way through the standards body, and how it can be used to fight phishing.
In a presentation entitled "So you've got authentication now. Yippee," Allman says that while DKIM isn't a cure-all to the spam and phishing problem, it presents an effective way for the signer to assert they really did process the message, and to hold them responsible for it.
But DKIM and other authentication approaches won't work in a vacuum, he says.
"We need to use authentication as input to a larger system; it's one part of a big toolbox," Allman says. "If something is authenticated that doesn't necessarily mean that it's good."
While phishing has become a top concern in the spam-fighting community, the battle against simply annoying e-mail is far from over, and a number of papers presented at the conference focused on new ways to identify and block spam. Among these were a proposal to improve Bayesian filter accuracy, a system for generating temporary e-mail addresses so that a person's preferred address doesn't have to be given out, spam filters based on adaptive neural networks, a new message-verification platform.