Guidelines to Enable U.K. ISPs to Share Spam Data

A new set of guidelines may pave the way for dozens of U.K. ISPs to participate in a University of Cambridge research project into the problem of spam, estimated to comprise 60 percent or more of the world’s e-mail traffic.

The guidelines concern how ISPs should deal with sensitive issues such as customer privacy and data-protection laws, while cooperating to shut down machines propagating spam, said Martin Hutty, head of public relations for the London Internet Exchange (LINX), a group of about 220 ISPs and network providers.

When an e-mail is sent from a machine using one ISP to another, both ISPs hold details that can be used to detect spam and locate the machine where the message originated, Hutty said. A user may have been infected with a Trojan horse program, through which a hacker has gained control of the machine and is using it to send spam, he said.

The guidelines will open the door for ISPs that want to participate in spamHINTS, an ongoing research project at the University of Cambridge, Hutty said. Richard Clayton, who holds a doctorate in computer science from Cambridge, heads the research.

“E-mail is not just a technical problem, but a market failure compounded by regulatory deficiencies,” Clayton wrote in a paper outlining spamHINTS.

The research project uses traffic analysis rather than content to determine which e-mail is legitimate. Spam, Clayton writes, has characteristics that make it stand out from real mail, even aside from its content.

Spam gets few replies and is often sent out 24 hours a day. It is also regional. For example, legitimate traffic flows between the United Kingdom and South Korea, but it’s uncommon, Clayton writes. Spam tends to consist of a huge number of short messages, while real e-mail is a mixture of sizes and sent in small numbers.

Clayton writes there is very little cooperation between ISPs so far in detecting and reporting spam.

The project, which is funded by LINX and Intel, hopes to tap into LINX’s network of ISPs. LINX, a nonprofit organization that includes members such as Google and the British Broadcasting Corp., is primarily known for its peering capabilities, which allow ISPs to connect directly with each other, Hutty said.

The direct connection avoids data transit charges for Internet traffic carried on other networks, he said.

LINX is enabling its peering infrastructure to produce sFlow data, which consists of packer header information for traffic flowing through its switches. Researchers believe they will be able to distinguish using the characteristics of the sFLOW traffic between real e-mail and spam, without examining the content, and identify the sending machines.

The end result will be a real-time list of e-mail sources that ISPs can use to investigate misuse. Through heuristic analysis, an ISP should be alerted to odd behavior, such as if one of its customers starts sending 10 times the number of e-mails as in the previous week.

The guidelines can be viewed online.

-Jeremy Kirk, IDG News Service (London Bureau)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.