The booming trade in spam and the looming threat of e-mail fraud, in the form of spoofing and phishing, have seriously dented our confidence in e-mail. Despite a multimillion-dollar industry surrounding antispam software, and several attempts to banish the problem with regulation, spammers and fraudsters continue to stay one step ahead.
The problem is that SMTP, or Simple Mail Transfer Protocol, the protocol designed to move e-mails from server to server, is still a system based on trust. Anyone submitting a message can claim to be anyone else, with little or no accountability.
The industry has willingly thrown its weight behind the concept--companies that would normally consider themselves competitors have united behind specific standards and technologies. The Internet Engineering Task Force worked diligently, collaborating with companies on authentication technologies, and its efforts were critical to the evolution of e-mail authentication, even though it was unable to develop a single standard.
The government has also recognized the importance. The Federal Trade Commission and the National Institute of Standards and Technology hosted the Email Authentication Summit recently at which industry leaders met to discuss what progress had been made to date, as well as the future of authentication.
Despite this support, the question remains: How do we take the theory of e-mail authentication and put it into practice? What do the actual legitimate senders and receivers of e-mail need to do to ensure they're prepared and protected? It's now up to individual businesses to do their part, but what do they need to do?
Today there are two widely known technologies that have serious supporters. Sender ID Framework, or SIDF, is an IP-based solution that combines Microsoft's Caller ID for e-mail proposal and Meng Wong's Sender Policy Framework, or SPF. DomainKeys, a signature-based approach supported by Yahoo, and Identified Internet Mail, another signature approach by Cisco Systems, both require software to be implemented by the sender and receiver to verify the integrity of the message.
Signature approaches are considered to be longer-term solutions for robust e-mail systems, while SIDF is easier to deploy for simple implementations. A team of top e-mail industry players is working with both Cisco and Yahoo to develop a single signature specification. That implementation should be available to the IETF for standardization by the second half of 2005.
As recommended by 34 industry leaders in a recent letter to the FTC, e-mail authentication initiatives should be rolled out in two phases. This two-step strategy incorporates, first, IP-based approaches and then signature-based approaches. Organizations should adopt SIDF today and then, as signature-based solutions mature, deploy them as well. The two schemes complement each other in the long term, resulting in a robust solution to address the range of platforms, user environments and deployment requirements worldwide.
These results alone should be enough to convince us that we're approaching the end of e-mail as we know it. The schemes are critical pieces of the technology that should be adopted by any site or company that depends on the reliable delivery of their outbound e-mail or the protection of their brand and domain name. They should also be used by other receivers that wish to be able to prove the identity of mail senders, as well as provide a safer and more reliable way to accept inbound messages beyond traditional mail content filtering.
Every receiving site will have to decide for itself which sender authentication approaches to take and what requirements to place on incoming mail in order to best suit its needs. But companies should also expect their customers, partners and suppliers to use a variety of schemes, or risk being unable to exchange messages with whole segments of their supply chain. The "industry" can only support e-mail authentication--it's now up to individual businesses to make it happen.
Biography
Dave Anderson is CEO of Sendmail.
See more CNET content tagged:
e-mail authentication,
sender,
signature,
receiver,
e-mail
The obvious motive for these authentication hacks is to decrease spamming. But it's like putting a blast door on a grass shack. Spammers are already big users of SPF. These schemes will not stop spam; they'll only cause them to modify their tactics. Since spammers mostly use botnets anyway, they'll find ways to use their hijacked host-machines' accounts to get through.
Email is diferent. Email is one-way. Email is asymmentric. An SMTP client sends to an SMTP server. An SMTP server cannot send to an SMTP client (even if a software suite called a "mail server" has an SMTP client component, as they all have, it is not the SMTP server component that sends email. It only receives). Now, the ONLY USE of an email address is to direct a message to it's recipient. There is no real meaning to the "sender's address" in the SMTP protocol (the standards require a return address, but this is not for the protocol to work, but just to be able to contanct someone in case of error). The sendinding client has an IP address that identifies it, and is practically impossible to forge, as the sender needs to use a real IP address to be able to communicate with the receiver.
In email, A sends to B. B cannot send to A using the same channel. Yet all these authentication methods works hard trying to reverse the irreversible communication channel, and to "authenticate" the sender's email address - the one that actually has nothing to do with the email transaction. They are trying to force a symmetric paradigm on an inherently asymmetric process. They are trying to force email to work like telephone instead of taking advantage of the asymmetric nature of email!
A lot of work is going into trying to authenticate the quite meaningless "sender's email address, while the real address that's important for the completion of an email transaction is the recipient's address. Without it email cannot be sent, and this is the one that should be used for authentication. This is the one address that cannot be forged if the message is to be received by the recipient.
The trick is to abandon the "telephone pardigm": no more "one person - one email address". The recipients addess would carry the authentication data. And only those authorised would get through.
There are many ways to do this, and the SMTP protocol doesn't need to be changed. There are ways to do it without cooperation with the sender or with the whole world. "Disposable addresses" services such as spamgourmet.com or sneakemail.com are two (quite different) approaches for using recipient's address for controlling email. VarA (http://wiki.outboundindex.net/VarA) is another idea in this direction. Using one's own domain with multiple addresses and some filtering tools that already exist is enough to get rid of almost all spam!
The source is an end user and their ISP is the one whom should be held responsible for dealing with the spammer.
Except you have oodles of ISP's around the world each with varying different levels of security and checks.
Thus the only way to get around this is to divide the ISP's into responsible and irresponsible parties. That has to be done in a multi-step process.
1. Have ISP's validate each other to confirm that the mail did in fact come from them and not some spoofed site claiming to be them. Those not validated/validatable won't be able to send their E-mail because nobody else (except for other irresponsible ISP's) will accept E-mail from them.
2. 1) above will take a while to trickle throughout the world, so until that time, send warning shots over the irresponsible ISP's bows that their E-mail will be blocked in the near future if they don't take the proper steps to rectify the situation.
3. Physically start blocking certain ISP's sites. If they're users get pissed... it's because of the irresponsible ISP. That will force those who require E-mail to go to a responsible ISP and if the spammers attempt to send spam through those responsible ISP's, because they're responsible and don't want to face the same fate as the irresponsible ISP's, they'll ensure that those who do spam get punished.
It will take a while (8 months minimum... maybe even up to 2-3 years for some foreign country ISP's with limited budget), but if they get blocked... they'll go out of business thus forcing them to become responsible or fall out of the market.
And it's all done between ISP's. That way if a bot somehow jumps in the middle, the ISP who received that botted spam will be held responsible.
At present, ISP's aren't responsible and most don't hold their users responsible either until somebody complains and even then, there's no assurance that they'll actively monitor for spammers.
But hold ISP's responsible for their own lively hood and you'll see a quick dampening of spam world-wide. Irresponsble ISP's get one warning and then are out of the game until they can prove otherwise to the other ISP's that they're responsible.
A world wide ISP consortium would be required to ensure that valid responsible parties are not blacklisted and/or define who is responsible and who is not and why not.
If it's handled solely by ISP's, the backend ISP's would be responsible for accepting E-mails from other backend ISP's and the frontend ISP's would only be responsible for what's sent out from them, but not so much about what is received because that would be done by the backend ISP's.
It would take a bit of overhead but when you subtract the amount of unnecessary overhead (CPU and bandwidth wise) to pass all the trillions of junk spam today, it's only a small drop in the overall barrel.
FWIW
Anyhow as for email as we don't know it; this guy is blowing smoke up our *****. Changing internet protocols is next to impossible due to the fact that managing change throughout the internet lacks a coordinating change agent. No one, not Verisign, not Microsoft, not the U.S. government is bigger than email.
Making arbitrary changes to email would be the equivalent of chopping off your nose to spite your face.
Talk to me again in 2007.
OWN3D personal computers, not from ISP farms.
Fencing off ISPs wont work because that is not
where they are coming from.
When you get the mail, you would get that person's personal signature/IP address.
You could let them know that they are a zombie.
But there are MILLIONS of them.
The solution was tried, but the spammers fought back. The solution, FOLLOW THE MONEY!
Set up a screen saver that pings the site that
ordered (not sent) the spam. Ping V1Ogra.biz a million times a day, get a million others to do it and the site closes or redirects to the source of the software. How about putting the source onto BitTorrent? P2P lists of spammers.
Hollywood can't close them, spammers would be in
a real fight!
- I like spam!!!
-
by alawana
March 23, 2005 6:47 PM PST
- Well, being into information assurance I find spam to be a very educational exemplary of how to discern what is for real and what is not for real. It teaches you how to be prudent and to cogitate about what you are doing while you are going through your e-mail. And sometimes it can give you an impetus to new ideas if you look deeper into what the spam consists of if you have a laboratory computer with excellent detection of malicious scripts and malicious malware.
-
Reply to this comment
View
all 3 replies
-
-
See all 29 Comments >>So it really isn't all bad and it does give you at times an opportunity to learn what the most popular things going on at the time. Plus last but not least , it equates itself to junk snail mail which always had the right to reach your mailbox by your trusty US Government.