Stopping Outbound Spam

Slide 1:Stopping Outbound Spam

Joshua Goodman Microsoft Research Robert Rounthwaite MSN Safety Team

Slide 2:Introduction

Most people worry about Inbound spam � they don�t want to receive spam I�m going to talk about outbound spam Focus on outbound spam from free email services (Hotmail, Yahoo, Gmail) What should they do to stop the spam from coming out? Briefly address how similar analyses apply to paid services (AOL, MSN, Earthlink, �) Consumer/small business space

Slide 3:Overview

Why outbound spam is a problem Why obvious solutions don�t work Account signup-HIPs Economics of spam Low daily volume limits Charging per message works but is annoying Initial Charging (charge for first 2000 messages only) works almost as well but is less annoying Complaint rates are a key factor Raising complaint rates can be as effective as charging more. Raises spammer costs with minor impact on good senders

Slide 4:Why Spammers Love Free Email Services

Cannot be blacklisted Many anti-spam systems have blacklists of bad IP addresses Too much good mail comes from free email services for blacklists to be used (typically) Bandwidth multiplication Connect to service, send one message to 10 or 50 people (on different domains) Some anonymity Services typically include originating IP, but it does add one more step for tracing spammers Avoids blocks and monitoring from own ISP Some ISPs block port 25 or otherwise monitor outbound mail traffic

Slide 5:Why Outbound Spam is a Problem

Most people worry about the spam coming into their system If you run an Email Service Provider (ESP) (Hotmail, MSN, Earthlink, Yahoo, universities, Gmail�) you need to worry about spam going out as well People may block all email from your system if too much spam comes from it Some people block all mail from China and Korea because too much of it is spam. If you�ll block whole countries you will block individual ESPs If not blocking, may filter more aggressively Bad for your reputation People stop opening mail from AbusedESP.com if they don�t recognize sender Expensive to respond to complaints (Assuming you respond) Costs bandwidth, storage (for bounces, sent mail, and inbound spam) and other resources No revenue from these accounts

Slide 6:Reputation Services

Reputation services, like Bonded Sender, certify some senders (domains) as Good Senders agree not to send spam Recipient ISPs check reputation service, let all mail past spam filters Key part of many visions of anti-spam solutions Domains abused by spammers cannot sign up for these services (as senders) If a domain does sign up as a safe sender, incentive for spammers to abuse it is very large Must have very good protections in place

Slide 7:First Solution (for free services)Overview

Create account activation HIP User must solve HIP in order to sign up How much does it cost to get people to solve this? How much spam can they send? How much is spam worth

Slide 8:How much does it cost to spam from a free service with an activation HIP?

Paying people to solve HIPs is cheap About 2 cents/HIP domestic About .2 cents/HIP cheap foreign How much does this cost per message sent? Can keep spamming until account is shut down Multiple ways to shut down accounts, but most relevant is a complaint Can send very roughly 1000 messages before a complaint Cost/message = .002 to .0002

Slide 9:How much is spam worth?

Two strategies: figure out how much spammers charge, or figure out how much it costs spammers. Cost is more relevant to this discussion Costs Can try to estimate costs of sending spam, but hard to know. Many successful spammers use illegal or semi-legal techniques Spamming from an email service violates terms of service CAN-Spam act How much is the risk of jail or lawsuits worth? Even semi-legitimate spammers often get �pink letters� � side agreements for an extra charge, or maybe use bribery Must shift service providers, change spamming techniques, reverse-engineer filters, etc. on a regular basis. Charging: When market is stable, cost of spamming should be close to price Is the market stable yet? Widely varying estimates, hard to know Very roughly, spammers charge .01 cents/message

Slide 10:First solution clearly doesn�t work

Cost per message is about .002 to .0002 Revenue per message is about .01 Useful to know that this is the reason for failure There are other attacks on HIPs such as OCR software If you use this solution and it�s being broken, it�s useful to know that you don�t (just) have to improve your HIP

Slide 11:Account activation + daily volume limits

Seems like reducing amount of spam that can be sent per day should increase spammer costs L (2): lag � days from sending spam to account termination D (100): number of messages/day P (1/1000): probability of complaint per message If D is small compared to 1/p, then

Slide 12:Account activation + daily volume limits

L (2): lag � days from sending spam to account termination D (100): number of messages/day P (1/1000): prob. of complaint/message Example: L=2,D=100,P=1/1000 LD+1/p=1200 Example: L=2,D=1,P=1/1000 LD+1/p=1001 Very little reduction in messages sent

Slide 13:Solution: Pay $ to recipient for every message(Gates, �96, Loder et. al �04, etc.)

Many proposals where sender pays for every message, or pays per complaint, or pays if recipient does not like content MUCH harder than it sounds Micropayment overhead costs To avoid spammers abusing system, must �put a hold� on account for each message, even if money eventually refunded Who gets the money Recipient? ISP? What prevents spammers from creating fake recipients or even fake ISPs who attract mail and take money? Has been done with international phone calls Is there one bank controlling everything? Making a profit? Are there multiple banks and if so, how do recipients know which banks to trust? Not insoluble, but MANY practical and social issues

Slide 14:Next obvious solution:Charge (HIP or money, etc.) every n messages

How much do you need to charge? Want to make it more expensive than profit, so aim for about .01/message Must charge 1 HIP every 20-200 messages Multiple recipients counts as multiple messages This is really annoying

Slide 15:Good solution: Initial Charging

Charge every n messages but only up to k charges at most Annoying at first, but users eventually stop being charged Much less annoying in the long run, but can set parameters to be equally effective If someone complains, user may have to start over again

Slide 16:Initial charging math

C(2): charge per n messages n(100): # messages per charge k(20): maximum # of times charging D(100): # of messages that can be sent per day L(2): lag time from sending until termination p(1/1000): probability of complaint q=1-(1-p)D(.095): prob of complaint on a given day As 1+nk/D-L gets large, second term approaches 0 Moderate values of k (max charges) lead to almost same cost as charge/message forever (C/n)

Slide 17:Spammer attacks

Spammer sends 2000 messages to himself No complaints Solves 20 HIPs Now he can keep spamming for free until his account is shutdown Can prove that this strategy is at least as costly as the �always spam as fast as you can� strategy. Nice proof that for any strategy where you do not spam at time t (send good or nothing) there is a strategy that is at least as good where you do spam at time t Proof by induction that you should always spam right away

Slide 18:Improving this solution:Add heuristics

Don�t have to charge everyone the same In some cases, you should charge more If a spam filter says that mail is spam, you should charge more In some cases, you can charge less Example: no image, no HTML, no links, no phone numbers, not detected as containing suspect words or odd obfuscations (e.g. misspellings or unknown words) by a spam filter Might still be possible but response rate will be lower, so value is lower, so we can charge less Other heuristics, but don�t like to talk about them

Slide 19:Paid users

So far, everything has been about free users (e.g. Hotmail, Yahoo, Gmail�) What about paid users (e.g. MSN, AOL, Verizon, Earthlink�) or Yahoo/Hotmail premium Can count their money as payment More complex analysis � don�t want to have to charge all over again if they get a single complaint Can allow about 8000 messages/day/$20 Daily limit increases as more money received (monthly) Daily limit reduced by 400/complaint

Slide 20:Complaint Rates

Complaint rates are a critical factor in the math for every solution If people complain twice as fast, effective cost to spammers is almost twice as much Raising cost/message annoys legitimate users Raising complaint rate may have no effect on legitimate users Working on standards for complaint-reporting Idea: get a button in every email client that sends complaint in standardized form to sender�s ISP

Slide 21:Conclusion

Inbound spam gets lots of attention, but outbound spam must be solved too. Non-solutions: Account sign-up HIP Very low daily volume limits. OK solution: charge (HIP or money, etc.) for every n messages Better solution: Initial charging Can be just about as effective as charge/message forever, but less annoying for legitimate senders Cost and complaint rates are both critical factors

Slide 22:Porn for HIPs

This has been done in real life, but not clear how common it is I�ve never been able to find an example, but people I trust say they have seen it in the past We�ve seen HIPs used to protect porn sites, but not forwarded HIPs May have lead to confusion especially in reports in popular press There are costs to this approach Must attract people to your website (advertising costs) Must acquite content that is not available elsewhere for free. Must serve-up content (may be expensive if content is, e.g. long videos) Is all this less than .2 cents/HIP (foreign labor HIP cost)? If getting a visitor costs 5 cents, you must get each visitor to solve at least 25 HIPs either now or on return visits