Perspective: E-mail authentication. Then what?

The world's e-mail network is no longer the friendly place it once was.

The booming trade in spam and the looming threat of e-mail fraud, in the form of spoofing and phishing, have seriously dented our confidence in e-mail. Despite a multimillion-dollar industry surrounding antispam software, and several attempts to banish the problem with regulation, spammers and fraudsters continue to stay one step ahead.

The problem is that SMTP, or Simple Mail Transfer Protocol, the protocol designed to move e-mails from server to server, is still a system based on trust. Anyone submitting a message can claim to be anyone else, with little or no accountability.

The problem is that SMTP, the protocol designed to move e-mails from server to server, is still a system based on trust.

Enter e-mail authentication. During the past year, the industry has keenly watched the progress of various sender-authentication schemes designed to ensure that all senders--including businesses, Internet service providers and, most important, spammers--are held responsible for the messages they send. E-mail authentication tells us where mail comes from so we can decide whether we want to read it.

The industry has willingly thrown its weight behind the concept--companies that would normally consider themselves competitors have united behind specific standards and technologies. The Internet Engineering Task Force worked diligently, collaborating with companies on authentication technologies, and its efforts were critical to the evolution of e-mail authentication, even though it was unable to develop a single standard.

The government has also recognized the importance. The Federal Trade Commission and the National Institute of Standards and Technology hosted the Email Authentication Summit recently at which industry leaders met to discuss what progress had been made to date, as well as the future of authentication.

Despite this support, the question remains: How do we take the theory of e-mail authentication and put it into practice? What do the actual legitimate senders and receivers of e-mail need to do to ensure they're prepared and protected? It's now up to individual businesses to do their part, but what do they need to do?

Today there are two widely known technologies that have serious supporters. Sender ID Framework, or SIDF, is an IP-based solution that combines Microsoft's Caller ID for e-mail proposal and Meng Wong's Sender Policy Framework, or SPF. DomainKeys, a signature-based approach supported by Yahoo, and Identified Internet Mail, another signature approach by Cisco Systems, both require software to be implemented by the sender and receiver to verify the integrity of the message.

Signature approaches are considered to be longer-term solutions for robust e-mail systems, while SIDF is easier to deploy for simple implementations. A team of top e-mail industry players is working with both Cisco and Yahoo to develop a single signature specification. That implementation should be available to the IETF for standardization by the second half of 2005.

As recommended by 34 industry leaders in a recent letter to the FTC, e-mail authentication initiatives should be rolled out in two phases. This two-step strategy incorporates, first, IP-based approaches and then signature-based approaches. Organizations should adopt SIDF today and then, as signature-based solutions mature, deploy them as well. The two schemes complement each other in the long term, resulting in a robust solution to address the range of platforms, user environments and deployment requirements worldwide.

What do the actual legitimate senders and receivers of e-mail need to do to ensure they're prepared and protected?

On a practical level, companies should develop plans as to how to incorporate authentication into their current infrastructure, and they should ask their e-mail vendors how and when they plan to take advantage of authentication. Both SIDF and signature approaches are already being adopted by some businesses. Early tests on the performance have been promising. Reports indicate that as much as 50 percent of sending domains are authenticating their outbound e-mail using SIDF and signatures.

These results alone should be enough to convince us that we're approaching the end of e-mail as we know it. The schemes are critical pieces of the technology that should be adopted by any site or company that depends on the reliable delivery of their outbound e-mail or the protection of their brand and domain name. They should also be used by other receivers that wish to be able to prove the identity of mail senders, as well as provide a safer and more reliable way to accept inbound messages beyond traditional mail content filtering.

Every receiving site will have to decide for itself which sender authentication approaches to take and what requirements to place on incoming mail in order to best suit its needs. But companies should also expect their customers, partners and suppliers to use a variety of schemes, or risk being unable to exchange messages with whole segments of their supply chain. The "industry" can only support e-mail authentication--it's now up to individual businesses to make it happen.

Biography
Dave Anderson is CEO of Sendmail.

More Perspectives

[Anonymous1234567890]

Authentication is already possible

If I were to publish my e-mail address here, only those who I wished would be able to e-mail me, and nobody else could. Simple as that. How? Yeah, right -- this is a million-dollar concept, isn't it? I'm not saying squat until I can afford to copyright the method.

[Anonymous1234567890]

And I forgot to mention...

...my method works with the existing SMTP protocol, with *NO* new protocol required. Anyone interested in funding my idea? Gmail? Hotmail?

[hadaso]

A million dollars concept? how about a free one?

I can publish an email address here! A real one that would actually deliver email to my own mailbox. No need to pay a million bucks. It's free! Spammers harvest addresses from these forums. I know. They harvested one time addresses I posted here! What do I care? They're all self distructiong addresses. By the time they include it in their mailing lists they're gone (and their lists are just a little bit more contaminated with one more invalid address, that would appear as a working address to them.)<br />Here are a few:<br />cnet1talkback22mar05.hadaso@xoxy.net<br />cnet2talkback22mar05.hadaso@xoxy.net<br />cnet3talkback22mar05.hadaso@xoxy.net<br />cnet4talkback22mar05.hadaso@xoxy.net<br />cnet5talkback22mar05.hadaso@xoxy.net<br />cnet6talkback22mar05.hadaso@xoxy.net<br />cnet7talkback22mar05.hadaso@xoxy.net<br />cnet8talkback22mar05.hadaso@xoxy.net<br />cnet9talkback22mar05.hadaso@xoxy.net<br />cnet0talkback22mar05.hadaso@xoxy.net

[203129769353146603573853850462]

Patent, not copyright

Patent, not copyright

[fgoldstein]

Anticlimax for little reason

The headline talks about the end of e-mail "as we know it", which implies a major change, but instead we're talking about a tweak to the protocol. Look, new improved Duzznt with 3.7% more hexaflogistic acid!<br /><br />The obvious motive for these authentication hacks is to decrease spamming. But it's like putting a blast door on a grass shack. Spammers are already big users of SPF. These schemes will not stop spam; they'll only cause them to modify their tactics. Since spammers mostly use botnets anyway, they'll find ways to use their hijacked host-machines' accounts to get through.

[RavingEniac]

authentication, spam filtering

The spam filter built into Mozilla/Thunderbird works pretty good. In the time since it was implemented, my spam burden has been greatly reduced. I still need to mark some mail as spam, and very rarely find a good email marked as spam.<br /><br />Good spam filtering that the user controls locally is better for me than filtering that my ISP controls, and better than stashing unknown mail into a "bulk" folder where it may get lost even if it's from a long-lost girlfriend who wants to say hi, or from a rich uncle who wants to offer me a job. Mail unknown to your email provider or software should not automatically be sidelined.<br /><br />Regarding authentication, many spammers use fake headers indicating the routing of their mail. To somehow test for and reject fake headers would eliminate a huge amount of spam. A protocol to use the message ID indicating the claimed point of origin and fetch the first 1000 bytes of the email and see if it matches the message at the destination ISP would probably be adequate to test whether the routing info is fake or not. This would somewhat increase the mail-related traffic, but would put a lot of spammers out of business. Such a test could be used by "backbone" providers rather than retail ISPs, I would imagine.

SOX not SPAM justifies Authentication

I think you grossly miss the point when you consider the impetus behind this as eliminating spam.<br /><br />True, Authentication brings an order of complexity to any organization but from my perspective it solves and even greater problem. Accountability in the business world would get an interesting ?wakeup call? if authentication were introduced between communicating parties. <br /><br /> We have become so familiar with email as a potentially unsafe communication medium that we include those ridiculous disclaimers at the bottom of our emails suggesting the reader ?read no further? if they are the unintended recipient.<br /> <br />Sarbanes Oxley (SOX) oddly enough does not require Authentication which I think is a mistake waiting to be regulation. I also think it?s a competitive advantage for any software developer looking to differentiate.

[hadaso]

Email is not telephone: don't they get it?

Telephone is a two-way (symmetric) communication system. Both sides are the same and both are identified using a number. Each end can call the other using that number.<br /><br />Email is diferent. Email is one-way. Email is asymmentric. An SMTP client sends to an SMTP server. An SMTP server cannot send to an SMTP client (even if a software suite called a "mail server" has an SMTP client component, as they all have, it is not the SMTP server component that sends email. It only receives). Now, the ONLY USE of an email address is to direct a message to it's recipient. There is no real meaning to the "sender's address" in the SMTP protocol (the standards require a return address, but this is not for the protocol to work, but just to be able to contanct someone in case of error). The sendinding client has an IP address that identifies it, and is practically impossible to forge, as the sender needs to use a real IP address to be able to communicate with the receiver.<br /><br />In email, A sends to B. B cannot send to A using the same channel. Yet all these authentication methods works hard trying to reverse the irreversible communication channel, and to "authenticate" the sender's email address - the one that actually has nothing to do with the email transaction. They are trying to force a symmetric paradigm on an inherently asymmetric process. They are trying to force email to work like telephone instead of taking advantage of the asymmetric nature of email!<br /><br />A lot of work is going into trying to authenticate the quite meaningless "sender's email address, while the real address that's important for the completion of an email transaction is the recipient's address. Without it email cannot be sent, and this is the one that should be used for authentication. This is the one address that cannot be forged if the message is to be received by the recipient.<br /><br />The trick is to abandon the "telephone pardigm": no more "one person - one email address". The recipients addess would carry the authentication data. And only those authorised would get through.<br /><br />There are many ways to do this, and the SMTP protocol doesn't need to be changed. There are ways to do it without cooperation with the sender or with the whole world. "Disposable addresses" services such as spamgourmet.com or sneakemail.com are two (quite different) approaches for using recipient's address for controlling email. VarA (<a class="jive-link-external" href="http://wiki.outboundindex.net/VarA" target="_newWindow">http://wiki.outboundindex.net/VarA</a>) is another idea in this direction. Using one's own domain with multiple addresses and some filtering tools that already exist is enough to get rid of almost all spam!

[Michael Grogan]

What if..

My thoughts on this subject always return to 'what if nobody ever followed a link in a spam message?' and 'why can't we catch malware installers by going after the companies promoted by their spam; since the companies are the ones paying the spammers to be spammers?'

[wbenton]

Dealing with Spam properly

To deal with spam... you must deal with it at it's source.<br /><br />The source is an end user and their ISP is the one whom should be held responsible for dealing with the spammer.<br /><br />Except you have oodles of ISP's around the world each with varying different levels of security and checks.<br /><br />Thus the only way to get around this is to divide the ISP's into responsible and irresponsible parties. That has to be done in a multi-step process.<br /><br />1. Have ISP's validate each other to confirm that the mail did in fact come from them and not some spoofed site claiming to be them. Those not validated/validatable won't be able to send their E-mail because nobody else (except for other irresponsible ISP's) will accept E-mail from them.<br /><br />2. 1) above will take a while to trickle throughout the world, so until that time, send warning shots over the irresponsible ISP's bows that their E-mail will be blocked in the near future if they don't take the proper steps to rectify the situation.<br /><br />3. Physically start blocking certain ISP's sites. If they're users get pissed... it's because of the irresponsible ISP. That will force those who require E-mail to go to a responsible ISP and if the spammers attempt to send spam through those responsible ISP's, because they're responsible and don't want to face the same fate as the irresponsible ISP's, they'll ensure that those who do spam get punished.<br /><br />It will take a while (8 months minimum... maybe even up to 2-3 years for some foreign country ISP's with limited budget), but if they get blocked... they'll go out of business thus forcing them to become responsible or fall out of the market.<br /><br />And it's all done between ISP's. That way if a bot somehow jumps in the middle, the ISP who received that botted spam will be held responsible.<br /><br />At present, ISP's aren't responsible and most don't hold their users responsible either until somebody complains and even then, there's no assurance that they'll actively monitor for spammers.<br /><br />But hold ISP's responsible for their own lively hood and you'll see a quick dampening of spam world-wide. Irresponsble ISP's get one warning and then are out of the game until they can prove otherwise to the other ISP's that they're responsible.<br /><br />A world wide ISP consortium would be required to ensure that valid responsible parties are not blacklisted and/or define who is responsible and who is not and why not.<br /><br />If it's handled solely by ISP's, the backend ISP's would be responsible for accepting E-mails from other backend ISP's and the frontend ISP's would only be responsible for what's sent out from them, but not so much about what is received because that would be done by the backend ISP's.<br /><br />It would take a bit of overhead but when you subtract the amount of unnecessary overhead (CPU and bandwidth wise) to pass all the trillions of junk spam today, it's only a small drop in the overall barrel.<br /><br />FWIW

[John Kuzak]

multi-step process

<a class="jive-link-external" href="http://www.analogstereo.com/pontiac_grand_prix_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/pontiac_grand_prix_owners_manual.htm</a>

and the start of email as we don't know it, lol

Authentication would be a trivial notion to implement if it weren't for the fact that the worse abusers of email are the Fortune 500 companies, and worse, politicians and action groups of all stripes.<br /><br />Anyhow as for email as we don't know it; this guy is blowing smoke up our *****. Changing internet protocols is next to impossible due to the fact that managing change throughout the internet lacks a coordinating change agent. No one, not Verisign, not Microsoft, not the U.S. government is bigger than email.<br /><br />Making arbitrary changes to email would be the equivalent of chopping off your nose to spite your face.<br /><br />Talk to me again in 2007.

[swwg69]

And this stops zombies how?

Most of the spam you are getting now comes from<br />OWN3D personal computers, not from ISP farms.<br />Fencing off ISPs wont work because that is not<br />where they are coming from.<br />When you get the mail, you would get that person's personal signature/IP address.<br />You could let them know that they are a zombie.<br />But there are MILLIONS of them.<br />The solution was tried, but the spammers fought back. The solution, FOLLOW THE MONEY!<br />Set up a screen saver that pings the site that<br />ordered (not sent) the spam. Ping V1Ogra.biz a million times a day, get a million others to do it and the site closes or redirects to the source of the software. How about putting the source onto BitTorrent? P2P lists of spammers.<br />Hollywood can't close them, spammers would be in <br />a real fight!

[fmcgowan]

The spam goes through an ISP to get to

the net trunk lines. Yes, there *are* millions of bots on the net. If you have tens of thousands of ISPs - each dealing with cleaning up its own customer base out of its own self interest - the task becomes manageable.<br /><br />And we can get them to see it as their own self interest if we have the mail software automatically reject *all* packets (not just email) from offending ISPs. That would effectively separate the irresponsible from the rest of us and the irresponsible would eventually go out of business.<br /><br />As I've said before, we *must* find a way to punish bad behavior if we want the behavior to diminish and cease.

[alawana]

I like spam!!!

Well, being into information assurance I find spam to be a very educational exemplary of how to discern what is for real and what is not for real. It teaches you how to be prudent and to cogitate about what you are doing while you are going through your e-mail. And sometimes it can give you an impetus to new ideas if you look deeper into what the spam consists of if you have a laboratory computer with excellent detection of malicious scripts and malicious malware. <br /><br />So it really isn't all bad and it does give you at times an opportunity to learn what the most popular things going on at the time. Plus last but not least , it equates itself to junk snail mail which always had the right to reach your mailbox by your trusty US Government.

[Andrew J Glina]

Fair points

... and if I recieved 5, 10 or even 100 a day then I would agree with you. But I recieve more and I have not found a spam filter that does the job without throwing away wanted EMails.

spam vs junk mail

"... it equates itself to junk snail mail which always had the right to reach your mailbox...."<br /><br />But to send you junk paper mail, somebody must PAY POSTAGE. This tends to (1) limit the volume and (2) focus the addressing. Spammers don't have these restraints.

[John Kuzak]

junk snail mail

<a class="jive-link-external" href="http://www.analogstereo.com/pontiac_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/pontiac_owners_manual.htm</a>