Feeds

Email authentication gaining steam

Sender ID and DomainKeys pushed at anti-spam summit

The Essential Guide to IT Transformation

The two major proposals solve the problem in different ways. Sender ID, based on Microsoft's Caller ID proposal and the Sender Policy Framework (SPF) created by Meng Wong, the founder of email service firm Pobox.com, authenticates email by checking the address of the sending server against a record added to domain name servers. DomainKeys use public-private key pairs to authenticate the message. Like Sender ID, the identifying information - in this case, the public key - is published in a special record stored on domain name servers.

"Authentication is authentication and nothing more," Sendmail spokesperson Allman said, who is also the lead editor of the DomainKeys Identified Mail (DKIM) proposal to the IETF. "It is like a driver's license or a passport. It tells you nothing about my driving record. Spammers can authenticate just like anyone else."

In fact, early studies of junk mail in 2004 found that nearly a sixth used the Sender Policy Framework, the predecessor to Sender ID, to appear legitimate.

However, as more legitimate domains are adopting the technologies, companies are developing reputation systems to evaluate which domains are considered "spammy" and which deliver content that people want in their inboxes. Spammers will not be able to spoof legitimate domains and still authenticate. And, email software can create a list of unwanted mail from a typo domains, such as micros0ft.com, that might otherwise fool the user.

"Authentication is a really big building block in terms of making a more intelligent determination of what is spam and what is not," said Ken Schneider, chief architect for Symantec and former chief technology officer at email security provider Brightmail (Symantec owns SecurityFocus). "If you are tracking reputation on top of this stuff, then it gives you the tools to detect attacks."

The technologies also help defeat phishing attacks, which have grown as an internet problem, Schneider said. In the second half of 2005, one in every 119 emails was identified by Symantec as a phishing attempt.

In a report published on Wednesday, the Email Sender and Provider Coalition found that the major ISPs representing the recipients of more than half the internet's email were using the email authentication technologies in some way.

But this is not a time to ease up on the pressure to adopt the technology, said Microsoft's Spiezle. More education and development is necessary, he said.

"There is no perfect solution right now," Spiezle said. "With any of these approaches, we need to be looking ahead and not at our shadow, because the deceptive forces out there will be looking for new ways to attack."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.