E-mail authentication slams spam.Fraudulent e-mail is a growing problem for businesses and individuals. Spam sucks up user and e-mail administrator time and productivity, network bandwidth, legislative attention and law enforcement activities. The United Nations Conference on Trade and Development United Nations Conference on Trade and Development (UNCTAD) Organ of the United Nations General Assembly, created in 1964 to promote international trade. Its highest policy-making body, the Conference, meets every four years; when the Conference is not in session, the estimated that in 2003, a cool 50% of all e-mail was spam. The U.S. alone spent more than $20 billion (that's billion) in technical resources to combat spam and its shadowy criminal cousins: phishing and e-mail-borne viruses. This is where e-mail authentication The verification that an e-mail message has been sent by the domain name in the From field. Called "domain spoofing," spammers falsify the From address in their messages in order not to be identified. comes in. E-mail authentication combats e-mail fraud Fraud has existed perhaps as long or longer than money. Any new sociological change can engender new forms of fraud, or other crime. Almost as soon as e-mail became widely used, it began to be used to defraud people via E-mail fraud. and is an important element in many different aspects of e-mail security, including anti-spam, anti-virus and anti-phishing. Since most e-mail threats rely on sender address spoofing, adopting authentication technologies can go a long way toward keeping fraudulent e-mails from hitting enterprise inboxes. Authenticating E-mail to Stop Spoofing The idea behind e-mail authentication is simple: the recipient, whether human or software, knows right away if the message sender is legitimate or faked. This is particularly important with fraudulent e-mails that depend on faked ("spoofed") addresses. For example, phishing depends on the mass distribution of e-mail with spoofed addresses. This e-mail appears to be from respected businesses that might legitimately have a record of sensitive information like credit card or account numbers. The spoofed e-mail attempts to convince the reader that he should enter sensitive information such as credit card or account numbers, Social Security numbers or PINs. Some of these e-mails are hilarious, with their misspellings and grammatical mistakes, but most phishing expeditions are deadly serious--and they work. Phishing largely depends on forged headers; an e-mail that purports to come from a major U.S. Bank isn't very effective when the sender is Joe's Spam Shop. E-mail authentication will reject the forged message out of hand. E-mail authentication does not replace anti-spam filters, since not all bulk commercial spammers send spoofed e-mail. As a matter of fact, many spammers have published their authentication credentials so that they can get past e-mail authentication checks. This sounds ridiculous, but spammers figure that they'd rather run a distant risk of getting prosecuted than have the majority of their bulk e-mail refused at the gateway level. That said, e-mail authentication would certainly allow recipients to identify and prosecute large-scale authenticated spammers, and to stop spoofed malicious e-mail at the gates At the Gates are a Swedish melodic death metal band. They are one of the forebears of the Gothenburg sound of heavy metal along with other bands of the Gothenburg metal scene like Dark Tranquillity and In Flames. . E-mail authentication protects both end-user recipients and e-mail administrators. End-users can trust that their e-mail is genuine and not a criminal scam, and e-mail administrators can use authenticated identities to ease the load on their anti-spam filters. E-mail authentication dumps forged e-mail before it ever hits the content filters, which frees up network resources. In fact, very large e-mail processors like Yahoo, Hotmail and AOL (A division of Time Warner, Inc., New York, NY, www.aol.com) The world's largest online information service with access to the Internet, e-mail, chat rooms and a variety of databases and services. estimate that they can drop 30-60% of all their inbound mail on the basis of authentic banned addresses alone. Authenticating E-mail to Stop False Positives One of the most promising areas for e-mail authentication is to reduce false positives. Anti-spam filters run the risk of rejecting or delaying legitimate e-mail, if they mistakenly identify a valid business message as spam. Businesses that apply e-mail authentication can safely assume that legitimate communication will not use spoofed addresses, and there will be no false positives in rejecting these types. E-mail authentication also makes whitelists and blacklists more useful. Whitelists, for example, search character strings to identify legitimate e-mail addresses. Spammers simply take legitimate addresses and put them in the "From:" address in a message header The identification lines at the beginning of an e-mail message, such as To:, From:, Subject: and Date:. . The whitelist sees the correct character string, says "O.K.!" and sends the spam right on in. If an e-mail authentication is working, it can prove to the whitelist that the sender is who they say they are. The whitelist can then correctly send it on or unceremoniously dump it. Bill Gates (person) Bill Gates - William Henry Gates III, Chief Executive Officer of Microsoft, which he co-founded in 1975 with Paul Allen. In 1994 Gates is a billionaire, worth $9.35b and Microsoft is worth about $27b. of Microsoft weighed in on spamming and spoofing. "Clearly, we must find additional ways to counter spam. Wide agreement on the need to check messages for signs of forgery is a key step toward eliminating a favorite spammers' trick--one used to defeat spam filters and entice unwary recipients into opening attachments that may contain harmful worms and viruses. Domain spoofing The unauthorized use of a third-party domain name in an e-mail message in order to pretend to be someone else. See e-mail spoofing. is involved in half of all of today's spam." Standards Wars Many e-mail security vendors have already implemented some form of e-mail authentication, and many others are looking at doing so. From an e-mail administrator's perspective, the rub is which one to use. Some major de facto [Latin, In fact.] In fact, in deed, actually. This phrase is used to characterize an officer, a government, a past action, or a state of affairs that must be accepted for all practical purposes, but is illegal or illegitimate. and proposed standards include S/MIME See MIME. digital signatures, SPF (1) (Stateful Packet Firewall) See stateful inspection. (2) (Sender Policy Framework) An e-mail authentication system that verifies that the message came from an authorized mail server. and Sender ID An e-mail authentication system from Microsoft that is based on Sender Policy Framework (SPF) records in the DNS system. Sender ID uses Microsoft's proprietary Purported Responsible Address (PRA) method for checking the headers within the message body. . S/MIME Digital Signatures: Prove You Are A Trusted Sender One of the most time-tested approaches to e-mail authentication is to apply S/MIME digital signatures to outbound e-mail. Signing outgoing e-mail with a digital certificate provides positive proof to your customers and partners that your communications with them are authentic. When a recipient opens your digitally signed Any message or key that has been encrypted with a digital signature. When a user's public key is digitally signed by a certification authority (CA), it is known as a digital certificate or digital ID. See digital signature and digital certificate. e-mail, their e-mail client Same as e-mail program. displays a 'ribbon' or icon that indicates the message is valid, and not forged. Digital signatures are based on S/MIME, a 9-year-old industry standard for e-mail security, which is supported in Microsoft Outlook For the e-mail and news client bundled with certain versions of Microsoft Windows, see . Microsoft Outlook or Outlook (full name Microsoft Office Outlook , Microsoft Outlook Express, Lotus Notes Messaging and groupware software from IBM Lotus that was introduced in 1989 for OS/2 and later expanded to Windows, Mac, Unix, NetWare, AS/400 and S/390. Notes provides e-mail, document sharing, workflow, group discussions and calendaring and scheduling. , and Novell Groupwise GroupWise is a cross-platform collaborative software product from Novell, Inc. offering e-mail, calendaring, instant messaging and document management. Summary GroupWise can operate on a number of server and workstation platforms. . Together, these e-mail programs have an installed base of more than 350 million e-mail clients throughout the world, making this approach easily and ubiquitously deployable. "Secure messaging is an enterprise imperative for 21st century businesses," said Matt Cain, senior vice president of analyst firm META Group. "S/MIME gateway interoperability certification is a large step forward in delivering an industry standard for end-to-end e-mail encryption and authentication. Secure messaging must be part of every organization's e-mail hygiene strategy." Sender Policy Framework See SPF. (SPF) SPF fights e-mail address forgery and makes it easier to identify spam, worms, and viruses. SPF authenticates e-mail by comparing the IP address of the e-mail server that sent the message, against a list of approved IP addresses published in the DNS (Domain Name System) A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. For example, when a Web site address is given to the DNS either by typing a URL in a browser or behind the record of the sender in the "From:" address. If the message is spoofed, the sending e-mail server will not show up as an approved sending addresses for that domain, and your e-mail authentication engine can automatically drop the offending e-mail. This means that when a recipient receives e-mail, it's possible to verify that the e-mail came from the domain it says it did. For example, if a phisher forges a Chase Manhattan address in an e-mail message. SPF will be able to tell that this e-mail did not come from a Chase Manhattan machine. The benefit of this approach is that owners of mail domains can independently register their own authorized IP addresses in DNS free of charge, and recipients of e-mail messages can perform queries of DNS records for SPF entries free of charge. Another advantage of SPF is that it rejects spoofed e-mails before they ever enter a corporate network. This significantly reduces the spam filter loads at Internet gateways and e-mail servers. Unfortunately, SPF is not yet widely adopted. While there are currently almost 200,000 Internet mail domains that have published SPF entries in their DNS records, this is only a fraction of the e-mail domains registered on the Internet. And the bigger challenge is that, for SPF to work, corporate, government and ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. organizations need to deploy e-mail authentication engines at their gateways that check SPF--this deployment has not happened. Sender ID Sender ID is the convergence of Microsoft's Caller ID for e-mail and SPF. Sender ID verifies that each e-mail message originates from the Internet domain it claims to come from based on the sending server's IP address. Microsoft hoped to make Sender ID the e-mail authentication standard, but there have been some serious bumps in the road. Several influential open source groups questioned the standard because of possible licensing issues, which led to the IETF's (Internet Engineering Task Force (c/o Corporation for National Research Initiatives (CNRI), Reston, VA, www.ietf.org) Founded in 1986, the IETF is a non-membership, open, voluntary standards organization dedicated to identifying problems and opportunities in IP data networks and proposing technical solutions to the ) rejection of the standard due to concerns over intellectual property. The issue was Microsoft's licensing requirements on its patented and patent-pending PRA PRA - PRAgmatics. The language used by COPS for specification of code generators. ["Metalanguages of the Compiler Production System COPS", J. Borowiec, in GI Fachgesprach "Compiler-Compiler", ed W. Henhapl, Tech Hochs Darmstadt 1978, pp. 122-159]. (Purposefully Regressive Algorithm) code, which is crucial to Sender ID's spoof checking. Microsoft spun the IETF's announcement by saying that the decision "does not mean Sender ID has been rejected" but that proposed changes would make the standard more flexible. Microsoft suggests that all the Sender ID framework needs is another spoof-checking mechanism in addition to the PRA algorithm. Both Sender ID and SPF might end up as de facto standards. Mail giant AOL has announced that it will support both PRA and SPF methods on outbound e-mail: although it will only support SPF on inbound. E-mail administrators can choose both, one or neither. Commercial senders should probably plan on publishing both PRA and SPF-related DNS references so that they can send mail to companies that will only check one or the other. What's Next for E-mail Authentication? Neither SPF nor Sender ID is widely adopted yet, though that may change. In the meantime Adv. 1. in the meantime - during the intervening time; "meanwhile I will not think about the problem"; "meantime he was attentive to his other interests"; "in the meantime the police were notified" meantime, meanwhile , e-mail authentication approaches like Tumbleweed's E-mail Authentication Engine support standards like SPF and SenderID, and also allow businesses to automatically apply S/MIME digital signatures. In Tumbleweed's case, the Authentication Engine can automatically sign outbound e-mail at the gateway based on an organization's e-mail policies, significantly reducing the overhead for this authentication approach by taking it out of the sender's hands. When recipients open a digitally signed e-mail, a displayed symbol indicates that the message has not been forged or spoofed. Business e-mail is increasingly hard-hit by spam, e-mail spoofing and phishing, as well as a continuing string of e-mail-borne viruses and worms. E-mail authentication schemes may turn the tide by allowing recipient gateways and users to transparently verify the source of an e-mail message. Enterprises will be able to reduce phishing attacks on their brand and the amount of false positives in their filters. The IETF See Internet Engineering Task Force. IETF - Internet Engineering Task Force is busy trying to set standards for DNS-based authentication entries, but in the meantime e-mail administrators should use standards like S/MIME to protect the security of their corporate e-mail. Joseph Fisher is vice president, product management, at Tumbleweed Communications (Redwood City, CA) www.tumbleweed tumbleweed, any of several plants, particularly abundant in prairie and steppe regions, that commonly break from their roots at maturity and, drying into a rounded tangle of light, stiff branches, roll before the wind, covering long distances and scattering seed as .com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion