MIT spam conference focuses on phishing

Nature of unwanted e-mail is becoming more dangerous, speakers say

At the fourth annual MIT Spam Conference, held in Boston Tuesday, speakers said that while the volume of spam ebbs and flows, the nature of unwanted e-mail is steadily becoming more dangerous.

"The spam problem will get worse, and the reason is phishing," said Bill Yerazunis, senior research scientist at Mitsubishi Electric Research Laboratories and chairman of the conference. Yerazunis estimates between 20% and 30% of all spam messages are phishing attacks that attempt to trick recipients into giving away personal or financial information. "For people who aren't 'Net savvy, they could lose their retirement money," he says.

The response rate for phishing e-mails is much higher than for spam, said Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as antispam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he said.

Not only is phishing dangerous for potential victims, but it also is destroying large banks' and other companies' ability to communicate with their customers in the most effective way, Judge continued. "Some of the most powerful entities on earth can't talk to their customers over e-mail" because phishing has corroded their customers' trust, he said.

As one of the dozen companies, universities, and laboratories presenting papers at the MIT Spam Conference, CipherTrust focused its talk exclusively on the rising threat of phishing. The company on Tuesday announced its PhishRegistry.org site, a service designed to warn legitimate Web sites when they are being spoofed by phishers.

CipherTrust has developed technology that creates a digital fingerprint of a Web site suspected to be bogus, and of the site it is spoofing, and compares the two looking for a match, said Jonathan Zdziarski, research scientist at CipherTrust. Once a bogus site is identified, CipherTrust feeds that information into its Radar anti-phishing service and also posts a notice at PhishRegistry.org, which Zdziarski defined as a "neighborhood watch for your Web site."

Fresh from an IETF meeting last week, Sendmail's Chief Science Officer Eric Allman spoke about the progress being made with DomainKeys Identified Mail (DKIM), a sender-authentication proposal from Yahoo and Cisco that's wending its way through the standards body, and how it can be used to fight phishing.

In a presentation titled "So you've got authentication now. Yippee," Allman said that while DKIM isn't a cure-all to the spam and phishing problem, it presents an effective way for the signer to assert they really did process the message, and to hold them responsible for it.

But DKIM and other authentication approaches won't work in a vacuum, he said.

"We need to use authentication as input to a larger system; it's one part of a big toolbox," Allman said. "If something is authenticated that doesn't necessarily mean that it's good."

While phishing has become a top concern in the spam-fighting community, the battle against simply annoying e-mail is far from over, and a number of papers presented at the conference focused on new ways to identify and block spam. Among these were a proposal to improve Bayesian filter accuracy, a system for generating temporary e-mail addresses so that a person's preferred address doesn't have to be given out, spam filters based on adaptive neural networks, a new message-verification platform.

This story, "MIT spam conference focuses on phishing" was originally published by Network World.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon