April 19, 2006 3:03 PM PDT
Danger: Authenticating e-mail can break it
- Related Stories
On sentry duty in your in-boxApril 18, 2006
Web site gives e-mail senders a reputationAugust 29, 2005
Microsoft pushes spam-filtering technologyJune 22, 2005
Should Microsoft own antispam?November 9, 2004
Microsoft reworks antispam spec to silence criticsOctober 25, 2004
Microsoft touts 'Sender ID' to fight spam, scamsAugust 12, 2004
(continued from previous page)
This was a challenge at Bank of America. "You have all sorts of different groups," Johnson said. "You need to really have a comprehensive, holistic look of your entire organization and know exactly who is sending mail."
"As you move along with implementing authentication...you are going to find that things will break, if some business unit goes ahead and sets up some host to send e-mail, and they don't register the hosts with SPF records," Johnson said. The problem is especially acute if e-mail service providers delete all the e-mail that fails an authentication check, he said.
But not all adopters of e-mail authentication face these problems. Dell, for example, did not see a major challenge. "There was some housekeeping that needed to be done," Erich Stokes, a systems engineer, said. "E-mail and SMTP was this great open standard, we just have to be a bit more responsible now."
The challenge of making an inventory of e-mail servers is apparent in the way SPF records are published. More than half of the companies that use SPF fail to tell recipients that their list of servers is complete--that is, that there should be no mail coming from other servers, according to CipherTrust. This leaves open a door for spoofers, as e-mail sent from an unidentified server can't just be deleted by filters.
"It definitely limits the actual effectiveness of the verdict," agreed Patrick Peterson, vice president of technology at IronPort, an e-mail security company in San Bruno, Calif. However, Peterson believes companies will get their e-mail servers in a row. "I do see that as a transitory period. When people first adopt, they are going to be very safe."
If adopted widely, e-mail authentication technology could help people make sure that a message claiming to be from their bank was actually sent by the bank. Authentication alone does not stop junk and spoofed messages, but it can make spam filters more effective by allowing filters to rate domains based on the e-mail that is sent.
But on the inbound side, filtering authenticated e-mail can be tricky, to the point where some e-mail security vendors are telling customers not to look at authentication when filtering their messages.
"We're big proponents of SPF, and all our boxes support it," said Dean Drako, the CEO of Barracuda Networks, a Mountain View, Calif.-based maker of antispam appliances. "But we have to recommend to our customers that they do not do any filtering on it, because there are too many false positives." False positives are messages wrongly identified as spam.
The ultimate benefits really are in the future applications of e-mail authentication, attendees at the authentication event agreed. E-mail security companies are working on accreditation and reputation services for e-mail. These systems look at the e-mail sending habits of a particular domain like CNET.com, for example, and include that in the decision as to whether messages should be junked.
6 commentsJoin the conversation! Add your comment