- Related Stories
-
Sendmail firming up open-source plans
June 16, 2006 -
Sendmail may turn tools over to open source
April 6, 2006 -
E-mail authentication. Then what?
March 22, 2005
Most users were researchers, and they had a vested interest in making the network work well. For the most part, they knew each other; in fact, there was a directory of every network user, including their names, physical and e-mail addresses, and phone numbers--printed on paper and weighing less than 2 pounds.
Security consisted of little more than simple passwords, and encryption was rare. In fact, the Arpanet, the predecessor to the Internet, first started operating in 1969, but the RSA algorithm, one of the first great advancements in Internet security, wasn't invented until 1977. Heavy e-mail users sent and received perhaps 10 messages per day.
How things have changed. There are times of day when I receive 10 messages a minute--and most of those are spam or phishes. In fact, I receive more than 1,000 unwanted messages every day. Spam is nasty, but phishing is worse, resulting in the theft of money and identity that equates to significant losses for both individuals and businesses. Global research firm Gartner estimates that 3.5 million Americans divulged personal information to phishers in 2006, nearly twice the number of 2005. The average loss per incident was around $1,244, more than double the amount in 2005, and barely half of those consumers will get their money back.
In all, financial losses attributed to phishing in 2006 amounted to around $2.8 billion. Because of this, most individuals and companies have little trust in their e-mail systems, and the challenge facing e-mail administrators has evolved from filtering out the bad messages to filtering in the good.
Today it is easy to send an e-mail and pretend to be anyone--even someone who doesn't even exist. This results from the idyllic early days of the Internet, when authentication was neither technologically feasible nor particularly important. Just as people from small towns often don't lock their doors when they first move to the city, e-mail has maintained a small-town mentality, oblivious to the skyscrapers rising around it. Criminals are all too willing to take advantage of these unlocked doors. To restore trust in e-mail systems again, it is time for all of us to start installing locks. E-mail authentication is one of those locks.
Work has been progressing for several years on an e-mail authentication technology known as DKIM (DomainKeys Identified Mail), developed collaboratively by several companies, including Cisco Systems, Yahoo, Sendmail and PGP.
Cooperation needed on DKIM
DKIM uses digital signatures to authenticate messages. These signatures allow you, or your e-mail service provider, to verify that a message claiming to be from your bank is really from your bank. Without authentication, if I receive an e-mail saying that my account has been compromised and requesting me to verify my personal details, it's a pretty good bet that I should ignore the message. But if I receive the same message and I can prove to my own satisfaction that it came from my bank, then I should probably pay serious attention.
DKIM can offer this proof, and it has just been published by the Internet Engineering Task Force--the group responsible for technical standards on the Internet--as an official Internet standard.
But just as no one wants to buy a radio if no signal is being transmitted, and no one wants to transmit until someone can hear it, DKIM needs cooperation from both senders and receivers. Senders will drive adoption of DKIM because they have money and their brand reputation at risk.
One way phishers profit is by tricking victims into divulging personal bank account details by impersonating the bank behind that account. This is of huge concern to financial institutions, many of which have already started deploying DKIM. And because DKIM runs on the e-mail servers provided by the enterprise or service provider rather than on the desktops of individual users, it doesn't require upgrading every machine on the network.
Still, a digital signature by itself isn't enough to prove that a message is valid. Phishers will undoubtedly sign mail using domains that they own. Sometimes these domains will be chosen to resemble the names of legitimate institutions.
You can compare authentication to a driver's license, which proves who someone is, but tells you nothing about their safety record; for that you need to know something about their driving history. In the e-mail world, we call this "reputation," which is essential to assessing the value of a message. The next big step to restoring trust in e-mail will be the creation of reputation servers so we can see the "driving history" of the multitude of lesser-known sites.
While DKIM by itself is a valuable technology, to really shine it will need to be used in concert with other technologies, some still in development. But we must start with DKIM.
E-mail senders should start using DKIM as soon as feasible so that they and their customers can reap the benefits. E-mail receivers should start verifying DKIM signatures so next-generation antispam and antiphishing tools can leverage that information to deliver better results. And end users should ask their e-mail providers what they are doing to deploy e-mail authentication and restore trust in Internet e-mail.
Biography
Eric Allman is the author of Sendmail, the world's first Internet e-mail program, and founder and chief science officer of Sendmail Inc.
See more CNET content tagged:
Sendmail Inc.,
e-mail authentication,
sender,
phishing,
message
I use sneakemail.com to be able to give different email addresses to various 3rd parties. If my bank sends me email it is received by Sneakemail which marks it with the label I associated with it (that says it's my bank) and then Sneakemail sends it to the email account where I read my mail. Email from my bank is email that claims to be from my bank and marked as such. Email that claims to be from my bank and that is not marked by Sneakemail as such is not from my bank.
In addition I use spamgourmet.com to be able to freely post email addresses that people can use to contact me without risking a lifetime stream of spam to a precious single email address that I cannot replace because too many people have it and I cannot inform them all (such as the address that I have that was published in paper publications in the good old times when everyone on the net could be trusted, or so we thought).
My email provider (fastmail.fm) used to check DKIM for incoming email, but they stopped doing it because they said it was too unreliable (I think because email relaying often changes parts of the headers/body in ways incompatible with DKIM).
It's a pity that we cannot leave our (electronic) front door open, but then, even if our front door is unlocked it doesn't mean anyone can come in and post their magnets on our refrigerator. If someone does it and gets caught it is the custom to lock them up somewhere. There's not enough of this locking up happening.
I've mostly switched to using unique and disposable addresses
within my own registered domains instead of relying on a third-
party service. Monitoring those addresses can be revealing and
sometimes puzzling. I'm convinced addresses are vulnerable to
different methods of nefarious discovery if they're unencrypted
at all during their existence/usage, which is difficult to avoid. I
have plenty of examples of "obfuscated" addresses (i.e. harder
to randomly guess/attack) only used for trusted and supposedly
private correspondence (or even never used at all) show up in
spam logs. How such addresses were actually "leaked" has
remained an unsolvable mystery and usually the only ways that
seem possible are rather disturbing.
Lets say you create a new comcast or verizon or hotmail or aol email account or some new email address from your company.
Spammers will always find a way. betsysmith@aol or bs1@aol.com ro bs2@aol.com they use acronyms and other various methods to bypass sneak mail. its the same with websites. you can't keep a webserver secret as the moment I created a new webserver that wasn't 2 minutes old GOOGLE spidered it without me asking it to. Using proxy will never work and is not fully secure.
Like the author I'm snowed under by trash mail, but only a small
portion of my legit mail is likely to qualify for the scheme he
describes. It probably won't do much to prevent my having to
scan through the junk mail folder to find the improperly filtered
messages I want to read. For goodness sakes, even messages I
send to myself are filtered out as junk!
The answer, I think, is email clearing houses that charge a
nominal sum to senders. By nominal I mean a penny or two per
message. This is a trivial charge to users who are not sending
bulk emails, but it would constitute a major, perhaps
insurmountable barrier, to junk mailers. The small charge to
non-commercial mailers -- people like me -- is easily offset by
the saving of time wasted tracking down valid messages, and
money spent on software schemes to defeat spammers. Not to
mention the cost of corrupted and disrupted computers and
criminal scams.
The security approach and the pay-for-mailing approach are
complementary. Perhaps, for instance, bulk mailers (like banks)
that have been vetted could receive a substantial discount for
bulk mailings.
The only way to beat the spammers is to make it too costly for
them to send their garbage. Their current costs approach zero.
It is very likely that the typical individual user sends fewer than
1000 emails a year, so his annual cost would be, at most $10. Is
that not a small price to pay to drastically reduce the annoyance
of spam? As I said, it also would reduce the substantial ancillary
costs of vandalism and other criminality associated with spam.
Make it too expensive for spammers to to distribute their
garbage.
cracked it. Then they will be able to send Spam with
authenticators that make it seem legitimate. Nothing like this
ever works. As long as there is money to be made in defeating
or circumventing security, it will be done. Given the time and
computing power spammers have at their disposal, literally,
nothing is safe.
The best example of this is DKIM, itself. All other security
systems that passively work to prevent spam, have failed, so we
had to come up with DKIM. DKIM will fail, sooner rather than
later.
Running all email through one server would be suicide. If there
is one bottleneck through which all email must pass, the
controller of that one bottleneck is being given carte blanche to
censor whatever they want to censor. The government can say
we don't want any emails that make fun of Cheney's declaration
that he's not part of the executive branch of the government to
go through. They threaten the owners of the bottleneck, sue
them or whatever and no more discussions of Cheney's
delusions.
This would be much worse if the government controlled the
bottleneck. When someone shows up from the government and
says, "I'm here to help," THEY'RE LYING.
Taxes are similarly a bad idea. Who ever heard of a tax going
down or going away? Today USPS costs 41 cents for a 1st class
letter, it used to cost 5 cents. Anyone think it would be different
for the email taxes?
Who holds these bozos who control the bottleneck accountable?
Is it a publicly held corporation - it's only accountable to its
stockholders. Is it a private company/corporation? It's only
accountable to its owners. Is it the government? These days
they seem to be accountable to no one but their own delusional
selves...
Leave the system alone. Anyone who hasn't heard that any email
that asks for personal information is bogus and should be
ignored is either living in a cave or not paying very much
attention. Even Mozilla's Thunderbird email client can tell you if
you are being sent to web address other than the one listed in
the email. Pay attention! Protect yourself, don't rely on someone
else to do it.
Without a mandate like the Analog TV to Digital TV mandate by some government authority it won't ever happen.
I think third party ssl certs could be more useful than self signing since there is a cost involved. Requiring something like an mxsend dns entry might be beneficial also since there isn't currently anyway to know what server will be sending email for xyz.com domain. When the people you work for say a customer of mine is getting blocked, Admins end up having to whitelisting people people who haven't setup their stuff correctly or companies that may be spamming away all day long.
I'll keep my fingers crossed but won't hold my breath. Now how about blocking all the circulars sent to my real mailbox? USPS has no vested interest in offering that service.