Feeds

Email authentication gaining steam

Sender ID and DomainKeys pushed at anti-spam summit

Top 5 reasons to deploy VMware with Tegile

The two major proposals solve the problem in different ways. Sender ID, based on Microsoft's Caller ID proposal and the Sender Policy Framework (SPF) created by Meng Wong, the founder of email service firm Pobox.com, authenticates email by checking the address of the sending server against a record added to domain name servers. DomainKeys use public-private key pairs to authenticate the message. Like Sender ID, the identifying information - in this case, the public key - is published in a special record stored on domain name servers.

"Authentication is authentication and nothing more," Sendmail spokesperson Allman said, who is also the lead editor of the DomainKeys Identified Mail (DKIM) proposal to the IETF. "It is like a driver's license or a passport. It tells you nothing about my driving record. Spammers can authenticate just like anyone else."

In fact, early studies of junk mail in 2004 found that nearly a sixth used the Sender Policy Framework, the predecessor to Sender ID, to appear legitimate.

However, as more legitimate domains are adopting the technologies, companies are developing reputation systems to evaluate which domains are considered "spammy" and which deliver content that people want in their inboxes. Spammers will not be able to spoof legitimate domains and still authenticate. And, email software can create a list of unwanted mail from a typo domains, such as micros0ft.com, that might otherwise fool the user.

"Authentication is a really big building block in terms of making a more intelligent determination of what is spam and what is not," said Ken Schneider, chief architect for Symantec and former chief technology officer at email security provider Brightmail (Symantec owns SecurityFocus). "If you are tracking reputation on top of this stuff, then it gives you the tools to detect attacks."

The technologies also help defeat phishing attacks, which have grown as an internet problem, Schneider said. In the second half of 2005, one in every 119 emails was identified by Symantec as a phishing attempt.

In a report published on Wednesday, the Email Sender and Provider Coalition found that the major ISPs representing the recipients of more than half the internet's email were using the email authentication technologies in some way.

But this is not a time to ease up on the pressure to adopt the technology, said Microsoft's Spiezle. More education and development is necessary, he said.

"There is no perfect solution right now," Spiezle said. "With any of these approaches, we need to be looking ahead and not at our shadow, because the deceptive forces out there will be looking for new ways to attack."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Beginner's guide to SSL certificates

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.