Feeds

Email authentication gaining steam

Sender ID and DomainKeys pushed at anti-spam summit

High performance access to file storage

The two major proposals solve the problem in different ways. Sender ID, based on Microsoft's Caller ID proposal and the Sender Policy Framework (SPF) created by Meng Wong, the founder of email service firm Pobox.com, authenticates email by checking the address of the sending server against a record added to domain name servers. DomainKeys use public-private key pairs to authenticate the message. Like Sender ID, the identifying information - in this case, the public key - is published in a special record stored on domain name servers.

"Authentication is authentication and nothing more," Sendmail spokesperson Allman said, who is also the lead editor of the DomainKeys Identified Mail (DKIM) proposal to the IETF. "It is like a driver's license or a passport. It tells you nothing about my driving record. Spammers can authenticate just like anyone else."

In fact, early studies of junk mail in 2004 found that nearly a sixth used the Sender Policy Framework, the predecessor to Sender ID, to appear legitimate.

However, as more legitimate domains are adopting the technologies, companies are developing reputation systems to evaluate which domains are considered "spammy" and which deliver content that people want in their inboxes. Spammers will not be able to spoof legitimate domains and still authenticate. And, email software can create a list of unwanted mail from a typo domains, such as micros0ft.com, that might otherwise fool the user.

"Authentication is a really big building block in terms of making a more intelligent determination of what is spam and what is not," said Ken Schneider, chief architect for Symantec and former chief technology officer at email security provider Brightmail (Symantec owns SecurityFocus). "If you are tracking reputation on top of this stuff, then it gives you the tools to detect attacks."

The technologies also help defeat phishing attacks, which have grown as an internet problem, Schneider said. In the second half of 2005, one in every 119 emails was identified by Symantec as a phishing attempt.

In a report published on Wednesday, the Email Sender and Provider Coalition found that the major ISPs representing the recipients of more than half the internet's email were using the email authentication technologies in some way.

But this is not a time to ease up on the pressure to adopt the technology, said Microsoft's Spiezle. More education and development is necessary, he said.

"There is no perfect solution right now," Spiezle said. "With any of these approaches, we need to be looking ahead and not at our shadow, because the deceptive forces out there will be looking for new ways to attack."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.