Presentation is loading. Please wait.

Presentation is loading. Please wait.

Controlling Spam through Lightweight Currency Proceedings of the Hawaii International Conference on Computer Systems Honolulu HI Jan 2004 David A. Turner.

Similar presentations


Presentation on theme: "Controlling Spam through Lightweight Currency Proceedings of the Hawaii International Conference on Computer Systems Honolulu HI Jan 2004 David A. Turner."— Presentation transcript:

1

2 Controlling Spam through Lightweight Currency Proceedings of the Hawaii International Conference on Computer Systems Honolulu HI Jan 2004 David A. Turner & Daniel M. Havey Department of Computer Science Cal State University San Bernardino Presented by Phil Lucas

3 Payment Based Solution Mail Transfer Agents (MTA) Lightweight Currency Protocol – Can create your own currency – Can use other mail domain’s currency – Can use other LCP-based service providers

4 Definition of Indiscriminately copied to millions of inboxes as opposed to “opting in” Contains false return addresses or other false envelop data Contains material considered objectionable by most and sent without consent Generated by a computer virus or has been specifically formatted to pass through filters

5 Definition of Junk Mail Unsolicited that does not fall into the “Spam” category Advertising targeted to the recipient Similar to USPS junk mail

6 Legislative Based Payment Based Filter Based

7 Legislation Governments pass laws against sending spam and enforcement of laws reduces spam after spammers begin to fear punishment Social costs of increased government control of speech Economic costs of enforcement Spam can originate from foreign countries Solution:

8 Legislation The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography And Marketing Act) (effective January 1, 2004) – Established Requirements for commercial – Spells out penalties for spammers – Gives consumers right to opt- out Solution:

9 Not 100% accurate – BOTH false positives and false negatives Encourages spammers to send more in order to bypass filters Does little to reduce actual cost of spam Solution:

10 Payment Cooperating systems create an economic disincentive to spam Small enough payment to allow legitimate Large enough to make sending large numbers of junk unprofitable Advertisers are willing to pay $.20/junk mail today, certainly $.01/ is okay Solution:

11 Payments cont… Proof-of-work (POW) – Sender must perform time- consuming calculation Spammer will not have resources to perform millions of calculations Waste resources of sender and compute time varies wildly between processors Charity stamps – proceeds go to Charities (Who? How much?) Solution:

12 Overview of + Self-regulated + Fully open market + Multiple currencies + Not restricted to services Solution:

13 LCP Continued… Lightweight Currency Protocol Can be used as a medium of exchange independent of any particular application Easy to implement Not directly tied to real-world currencies

14 Continued… Organization generates public/private key pair and distributes the public key. Alternatively, a certificate can be issued binding the domain name to the public key. Currency holders also generate public/private key pair

15 Something to Note about LCP A currency holder holds a particular currency when the issuer of that currency has a record of it.

16 How LCP works Request Funds Msg Acknowledge Msg Payment Made Msg Identification msg SenderReceiver

17 LCP-Based servers require a payment in LC to accept incoming Responsibility is placed on the service providers to ensure that spam is not passing through their system

18 LCP - Based Case 1 A and B have a history of mail exchange If A holds B dollars, A pays B one B dollar for the If B holds A dollars, A sends another A dollar

19 LCP -Based Case 1, cont. If B has too much A currency, B requests alternatives A sends list of alternative currency it holds – Wide acceptance currency – Domains with large amounts of B currency

20 LCP - Based Case 1, cont. Reasons B will accept alternative currencies – B can redeem alternatives elsewhere on the net – B can redeem currencies for real-world $$$ – B wants to avoid the same situation A is currently in

21 LCP - Based Case 2 A is sending to B for the first time Although unlikely, if A holds B dollars, it uses them Tries to use A dollars If B trusts the certificate from A, it may trust a limited amount of B users respond to A , so B uses A dollars to send it back

22 LCP-Based Case 2 Possibility of spam if cost of new certificates is less than profit from spam Recommended practice would be to accept widely accepted currencies or domains with B currency

23 LCP-Based Spammers send out large amounts of mail with few responses, so spammers could not acquire large amounts of alien currencies Spammers would have to sell services or purchase currencies outright

24 LCP-Based Imbalances List operators could request support from users Prices could be different for outgoing vs. incoming mail. Example: a domain that sends out twice as much mail as received could charge twice as much for incoming mail as outgoing. Commercial sites could absorb cost of statements and confirmations.

25 Why LCP? SOAP-based, relatively easy to implement into applications Fully transferable into other contexts, so will more easily acquire value Providers that send more than received have access to other methods of acquiring necessary currency Providers that receive more currency than they spend can easily redeem it for other resources

26 LCP in Action Agent Need $100 Yahoo $100 Yahhoo $100 Yahoo Newsletter Yahoo.com

27 Security Issues Throwaway identity attack – Naïve policy accepts currency from anyone – Spammer generates as many public key identities as necessary to send mail

28 Security Issues Man-in-the-Middle attack – Policy that accepts non-bound public key certificates – Middleman impersonates sender or receiver Example: A is sending to B and B accepts A dollars. C delivers to B for A, but makes B think its public key is from A. B accepts worthless currency from C. In the meantime, C accepts worthwhile currency from A. Little currency at stake, but possible disruption of service and trust issues between A and B

29 Security Solutions Small systems should not accept currency from domains it does not send mail to Large systems would require spammer to buy too many certificates, so built-in economic disincentive by virtue of the size

30 Deployment Partial Deployment – System accepts both payment and ordinary based – Service providers encouraged to migrate incrementally – Spam eliminated by growing list of cooperating domains

31 Deployment Full Deployment – Users maintain two addresses, one for payment and one for ordinary Small systems must limit imbalances to a fraction of the total number of inboxes After trust is established, limits can be increased Users should NOT respond to Spam!

32 Hybrid Approach A establishes LCP mail domain in addition to ordinary mail. Mail arrives from B, A announces to B its support for LCP If B is not a LCP domain, A accepts mail to ordinary mail inbox If B is LCP domain, A and B negotiate payment and LCP inbox is used. Eventually ordinary mail goes unused and is the sole domain of Spam

33 For More Information…

34 Summary Spam does not NEED to be on every menu! Questions?


Download ppt "Controlling Spam through Lightweight Currency Proceedings of the Hawaii International Conference on Computer Systems Honolulu HI Jan 2004 David A. Turner."

Similar presentations


Ads by Google