Slide 1

RUCUS - IETF 71 1 Lessons Learned From IETF Email Antispam Work Jim Fenton Slide 2 RUCUS - IETF 71 2 Email Antispam work in IETF? AntiSpam Research Group in IRTF Meets Tuesday afternoon Two WGs have focused on email authentication MARID (2004) DKIM (2006-present) Authentication to establish identity + authorization considered useful Provides base for reputation, whitelists, etc. Relief from false positives on messages from known, desirable senders Strong opinions everywhere! Slide 3 RUCUS - IETF 71 3 Legacy Legacy makes change difficult Email has more legacy than VoIP But the PSTN has a lot more legacy than Email! Capability for anonymity is essential But Anonymity Spoofing Some spoofing is desired by users (mail an article) Can the recipient trust the {callers, authors} identity? Generally, no PSTN lacks display mechanisms for Caller ID trust, even if we could decide how to populate it Similarly, email UIs generally dont display authentication Slide 4 RUCUS - IETF 71 4 Comparing Email and Voice Decision can include message content Difficult to establish trust basis for large domains, especially free services Real-time recipient input rarely available to aid decision- making Fraud (phishing), malware delivery significant problems Horse has left the barn: spam rampant Decision must be made in real-time prior to connection Difficult to establish accountability for PSTN addresses Recipient may be available to provide input to call acceptance process Voice fraud probably more insidious; malware TBD Some spam, but generally under control, for now EmailVoice Slide 5 RUCUS - IETF 71 5 Conclusions Email experience shows that economics are ripe for floods of VoIP spam VoIP spam is likely to be much more intrusive than email spam A bit early to evaluate the benefit of email authentication on spam management But voice services cant wait for the answer Interworking between PSTN and VoIP likely to be very difficult