SPAM Workshop at ITU World Telecom 2006, 8th December, Hong Kong

(Last Updated On: December 15, 2006)

Details of the Spam workshop program can be found online

There was a lot of useful information shared during the sessions especially with case studies from various countries. Mr Luc Mathan, Board member of MAAWG, noted that with NGN there should not just be a focus on spam legislation but on the whole Interrnet legislation. He shared a very interesting example of how German law now rules that ISPs must delete logs at the request of customers (in other words, privacy taking precedence over piracy or evidenciary needs for taking up suits). This will have a major impact on the effectiveness of prosecuting spam. In the Spamhaus case, data protection authorities are questioning the need to notify ISPs on who the spammer is. This is unlike what is happening in broadband arena, where countries first rushed into adopting broadband only later to worry about security issues. Proper understanding and planning is needed.

Hong Kong has actually taken a broader approach to spam. It does not limit itself to Internet spam on PCs. It includes SMS and MMS messages as well, In fact, it has taken a technology neutral approach to any forms of abusive messaging (with flexibility to ensure legitimate commercial messages do not fall in this ambit). Hong Kong also takes a multipronged approach called STEPS (S=strengthen, T=technical, E=education, P=partnerships (local and international), S=statutory measure). There are very strong criminal and civil penalities that should deter spam activities. In fact, one of the presenters made a good presentation of the comparisons between Hong Kong and China’s spam laws. She then noted that the less stringent Chinese environment will mean the migration of spammers from Hong Kong to China. Very interesting as this is the global nightmare behind combating spam.

Suresh Ramasubramaniam from APCAUSE, also mentioned how Asia Pacific is lagging behind in spam battling and this has meant now that a lot of spam activity is moving to Asia Pacific, as the rest of the world cleans up its act. He too reiterated Luc’s point that a broadband policy needs a security policy too. He mentioned how in his work at the ISP today, a lot of time and effort is spent in helping customers minimise spam (out of 1 million messages, 90,000 are usually spam). Developing countries lack the bandwidth (spam clog up their bandwidth for “good” email delivery) but they also lack the resources to participate in antispam effortts e.g. MWAAG etc. So whilst there is a need for international cooperation, there is also a clear need for substantive local support e.g. building Internet exchange points, cooperation between ISPs, civil society education on security issues and training/capacity building of security experts. Organisations involved in regional and international cooperation should be cognizant of this, and meanwhile countries to should be cognizant of the need to work beyond their borders.

Mr Dimtri Ypsilanti, the OECD representative, pointed to the OECD Spam toolkit and other databases which could help countries. There is no real need to reinvent the wheel but for collaboration and sharing of information. He and some other panelist mentioned that there is no clear definition as such amongst all countries as to what constitutes spam, but there is some agreement on dealing with abusive spam. Spam today is a conduit of all other threats (e.g. phising, botnets, viruses, zombies, etc) and there is huge business implications as well. The other MAAWG representative, Mr Michael Jones from AOL, pointed out that today it is not just ISPs who are on board with dealing with spam, but also big corporations. The objective is to stop abusive mails whilst delivering legitimate mails. Calls to the helpdesk by a user to deal with spam issues costs money and can even kill the business case of an ISP. There is a clear role of self-regulation by private sector to adopt Best Practices, cooperate with all stakeholders and even for users to do their part to protect themselves.

One example of self regulation is seen in the role of MAAWG is to help share information, educate and train. Currently for example, many service providers do not fully understand how to protect themselves with Port 25 blocking. MAAWG has produced self explanatory documents for executives and governments, and also has developed a Code of Conduct for ISPs and Best Practices for senders (this information was broadcasted on radio). It also directs people to global references such as the OECD toolkit, developed spam metrics for ISps and works as an interlocuter or one stop shop of information, database and contacts for International organisations.

Overall I found the Spam workshop had an impressive panel of speakers and great information shared. Cross border collaboration was a common theme emphasised by almost all speakers, given it was noted that in some countries more than 95% of spam comes from outside their borders. Between blacklist, whitelists, strong penalties and enforcements, cooperation of stakeholders and regional and interrnational organisations, the battle against spam is progressing. Whilst we are still dealing with the problem, it could have been a lot worse if we did not have these efforts. However, given that many countries and companies benefit monetarily from spammers, i.e. not everyone has an incentive to clean up this act, the battle continues.

(see for other details and pictures) As I ended that other post, let me also end here with a quote from Barry Greene, an active participant of NSP Sec

“Never underestimate the power of human communications as a tool to solve security problems. Our history demonstrates that since the Morris Worm, peer communication has been the most effect security tool.”