Authenticate Us From Evil Autumn brings new e-mail security push This fall will be a trial for e-mail authentication, which many consider the next logical technical step in the war on spam and phishing schemes. While Yahoo pushes Domain Keys, Microsoft hypes SenderID Framework, a system that's a combination of Microsoft's Caller-ID for e-mail, Meng Wong's Sender Policy Framework (SPF), and a third specification called the Submitter Optimization. SPF/Sender-ID requires some very slight tweaking to the structure of DNS and the way MTAs operate in order to work; new domain records have been created which identify machines authorized to send mail for a specific domain, while the MTAs integrate functionality to confirm e-mail hasn't been forged. Many MTAs have already done this (as has SpamAssassin, which many use in concert), and Microsoft has said they'll start using the standard October first. Yahoo's competing Domain Keys system, which should emerge in September, offers a slightly different approach by digitally signing all outbound e-mail. DomainKeys utilizes PKI (Public Key Infrastructure) technology to uniquely sign each outbound e-mail. Recipients then grab a public encryption key available in the DNS record of the sending domain to confirm the e-mail's source. The industry as a whole has quickly moved toward authentication, with ISP's, registrars, and MTAs declaring their allegiance to their scheme of choice. GoDaddy today announced they'd be incorporating SenderID into their e-mail services by the end of the year, while Sendmail this week published a plugin for testing Sender ID in its media transfer agent (MTA) software. According to a press release from e-mail security company CipherTrust (pushing SenderID), Fortune 1000 companies have increased their Sender Policy Framework deployments by nearly two-hundred percent since May. The group also noted however that won't be enough; spammers are quickly adapting to the tactic and actively registering their SPF records. In a recent CircleID Interview with Meng Wong, the SPF creator outlines how SenderID evolved from SPF, and expresses some surprisingly low expectations for the future of e-mail authentication. Wong notes that while the ability to limit domain spoofing will be a great plus for internet security, people shouldn't expect a dramatic reduction in the amount of spam hitting their inboxes. "I know that spam is like a drug, in that people will go to almost any lengths, no matter how absurd, to send more of it," notes Wong. "No "designated sender scheme" will ever be able to cut down the amount of spam that's sent, or received. All it can do is help domain holders avoid the brand dilution of having their domain name forged by spammers."
|
 | | Would Easier to deal with the spam, then to deal with 50+++ Customers trying to upgrade their server software to comply with new standards. And Spam not really affecting me, only 1-2 spams/day ^_^
--
Chris Allessi Global Datacenter | |
|  |  TzaleProud Libertarian ConservativePremium
join:2004-01-06
NYC Metro | Re: Would said by Anonuser:
Easier to deal with the spam, then to deal with 50+++ Customers trying to upgrade their server software to comply with new standards. And Spam not really affecting me, only 1-2 spams/day ^_^
Maybe not for you, but for some companies it costs them millions or even billions of dollars per year in wasted bandwidth, resources and productivity (employees looking through mail). I'm like you, I don't care about it.
-Tzale | |
|
| | SenderID Unfortuantly, Free Software projects won't be able to use SenderID, at least legally, because the license for it doesn't allow you to use it in software that is open source.
SPF is easy to use, just setup TXT records in your domain, and you can use free software on email servers. | |
| |  sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ | Re: SenderID said by kyhwana9:
SPF is easy to use, just setup TXT records in your domain, and you can use free software on email servers.
said by 'wong':
"There's been some controversy over the format in which the Sender ID records should be published in the DNS. The merged specification calls for an XML format -- a format many critics say is unnecessarily complicated and difficult to deal with. However, the Sender ID authors have made the specification backwards compatible with the simpler SPF text format. More than 20,000 domains have already published records in that format, according to Wong."
»www.clickz.com/news/article.php/3373601
Hopefully that means Sender-ID will remain backwards compatible with SPF.
--
Thanks for the memories
Don't forget to vote!
Bush/Cheney '04 | |
|
JPCass
join:2001-01-23
Denver, CO | When will we see some results? This reminds me of various incidents in the bad old days - including one that resulted in Microsoft vanquishing the old UNIX vendors - with everyone trying to push their own proprietary "standard". While the various standard-bearers are battling for position, little or nothing gets done.
I can't imagine that anything other than a non-proprietary standard like SPF will ever be widely adopted. Whatever else comes along seems likely to only see limited use by corporations and institutions, but that's a profitable market.
What does occur to me as the one hope of some of the tighter proprietary standards, is that a few big ISPs like AOL might implement them and succeed in choking off most of the spam sent to their users. I would guess that a small number of such major IPs harbor most of the users of the sort who would respond to the garbage advertised by spam, and if the spammers are cut off from a large part of their best responding populations, that might really put a crimp in spam.
It also seems to me that even if a simple solution like SPF prevents spoofing, then it makes it possible to implement an effective "whitelist". It doesn't matter if spammers can legitimately create records in SPF or some similar scheme, they still can't send mail to sites implementing some type of whitelisting, and then will have to deal with a much larger volume of return mail and complaints that actually come back to them - which eats up their bandwidth if nothing else. | |
| TzaleProud Libertarian ConservativePremium
join:2004-01-06
NYC Metro | Change Sucks I like the current system, there is no reason to change. I rather deal with spam, then to have 10,000 different forms of authentication. Spammers aren't dumb, they'll work around this system too.
-Tzale | |
| efkPremium
join:2002-04-01
Westlake, OH | Microsoft?!?!!?!? Microsoft, the same corporation that brings us Windows and all of its security flaws. Now they're going to add a level of security to email? | |
| | | | Re: Microsoft?!?!!?!? said by efk:
Microsoft, the same corporation that brings us Windows and all of its security flaws. Now they're going to add a level of security to email?
Microsoft did not develop SPF;)
--
Because Goldengamegod won't fit:p | |
| |  dvd536as Mr. Pink as they comePremium
join:2001-04-27
Phoenix, AZ
kudos:4 | its EASY!
just delete it. I do! | |
| | | JPCass
join:2001-01-23
Denver, CO | Re: Microsoft?!?!!?!? said by dvd536:
its EASY!
just delete it. I do!
That may work for some users who have been lucky enough not to get their names on too many spam lists. For those of us with names that get "vertically" spammed by bots trying likely names at domains (ie, jim@myisp.com, admin@theplaceyouwork.com, etc.), those of us whose hobbies or business requires us to post our e-mail addresses publicly, and those of us who own or manage domains - the flood of spam we get in our account/s is a huge burden on us. Not to mention which, we are all paying our ISPs extra money that could be saved with price cuts or put into benefits like more bandwidth, to cover their costs of dealing with all the spam that they have to try to keep away from our mailboxes to begin with. | |
|
| |
|
|
