Will changes to email improve safety and fairness?
The current practice for protecting email's utility as an efficient form of communication is to ostracize abusive sources when much of their email is sent to recipients that never expressed a desire for its receipt. In the email vernacular, this practice is called block-listing when the source has not adhered to an opt-in criteria for the distribution of bulk email. An opt-in criteria may seem unjust as it imposes differing sending limits. However, an opt-in criteria does provide a practical means to ascertain who is causing the greatest harm to email's utility, and a better method to assess email abuse has not been devised.
CAN-SPAM Law Demonstrates the DMA's Influence
Some marketers advocated a wholly unworkable and unsafe opt-out method that became codified in the US Federal CAN-SPAM law. Fortunately, this law also allows for a practical opt-in criteria to be used instead. Opting-out greatly increases the recipient's burden and risk when forced to respond to undesired messages. Merely responding increases the trading value of verified email addresses, inviting an endless series of new senders. When the opt-out method is offered as a link, just a simple click may cause the recipient's system to become compromised.
Fairness Depends Upon Who Gets Assessed
For email however, the greatest potential for injustice occurs when the source of abuse is being ascribed. There are few verifiable source identifiers within an email. The sender's IP address and the host-name provided within initial announcements are two verifiable identifiers. A new identification method based upon public-key cryptography is being tested called DomainKeys, along with an IETF effort called DomainKeys Identified Mail (DKIM). All of these identifiers represent sources that can be fairly held accountable.
SSP Demonstrates the Administrator's Influence
In addition, those willing to equivocate about identifiers consider that an email address domain authorization provides an indirect method to identify the message source. Currently these proposed authorization schemes are called Sender-ID, and a new scheme called Sender Signer Policy (SSP) that is intended to work with DKIM. As with Sender-ID, SSP also makes the assumption of being an indirect method of source identification, and even directs complaints to the email address domain owner.
With any of these email address authorization schemes, the email address domain owner may be prone to being unfairly held accountable. This can happen when the authorization is considered a weak form of authentication, and used to accrue reputations for block-listing. When the email address authorization does not actually identify the source of an abusive message, any reputation accrual would of course result in unfair treatment.
Some insist the email address domain owner should be held culpable for their authorization of email sources. However such authorizations may be open-ended (allowing any signature or the lack of a signature) out of necessity or poorly protected by providers within shared environments. The email address domain owner can be coerced by equivocating administrators into publishing these authorizations after finding that without this record, their emails are rejected or deleted.
A fair system would ensure actual sources are ascribed for undesired email. Unfortunately, some consider authorizations derived from email addresses as a good-enough means to identify the message source, which is simply wrong and unfair.
The Expectation of Delivery
When publishing an SSP record, an email address domain owner wishing to use various providers or services would need to publish an open-ended authorization. As SSP authorizations are public, these are rather easily exploited, especially with the prevalence of compromised systems connected to most providers. The defensive posture would be to not use public servers and not permit third-party signatures as perhaps the only sure means to limit these exposures. Any exploitation of an open-ended authorization has the potential to damage reputations held by a diverse array of equivocating recipients. However, not allowing third-party signers also dramatically changes current email practices.
Placing the burden of reputation upon the email address domain owner benefits the administrator, as expensive complaints are directed elsewhere. Protections promised by these authorization schemes assume the recipient is able to clearly see the email address and that removal of unauthorized messages will be effective at thwarting phishing attempts.
Unfortunately, both of these assumptions are wrong. Most recipients are likely using an email application that displays the pretty-name rather than the actual email address. Even when the email address is visible, any indication or assumption that authorized messages are trustworthy will likely mislead the recipient, as any miscreant is able to authorize their own domain and can control what is displayed.
Additionally, in some non-English speaking regions, use of Puny-Code domain names virtually prohibits reliance upon any visual recognition of an email address, making these authorization schemes truly English centric. And the protection promised by the authorization schemes also assume that the recipient understands the hierarchy of assignments within a domain name. Many do not, and many institutions subjected to phishing also make similar changes to their domain name, just to differentiate their various services.
A Recognition Strategy
There is an alternative to SSP that can resolve the significant flaws of unfair accountability and over reliance upon visual acuity. This alternative will allow the world to safely use their native language. A binding recognition strategy simply includes advice (a single letter code) within the signature that indicates which elements may be used to identify the author of the message. Once these elements are registered by the recipient with the email application, messages can be highlighted when recognized as coming from correspondents of the registered messages. The binding-information can be retained at both the mail application and, in some cases, automatically at the email server.
In cases where an institution wishes to impose a requirement of a signature with their email address, this can be signaled within the retained binding advice. This approach ensures the message source remains accountable rather than the email address domain owner, as no email address domain authorizations are used. This also ensures current email practices do not need to change, so one may continue to use the email address given to them by their Alma Mater, for example.
Recognition Mirrors the Innate Ability of Humans
Rather than depending upon super human vision or the acquisition of thousands of look-alike domains by the various institutions, a cryptographic signature would allow the recipient's email application to uniquely recognize a prior correspondent. This source recognition models the innate ability of humans to identify a unique voice or a face. By highlighting recognized sources, attempts at pretending to be one of these correspondents would be easily noticed by the lack of highlighting.
Initial message source identifiers would be registered with the email application when a relationship is first established. This added information provides an out-of-band means to confirm the source of the message. Once the message source is registered by the recipient, all subsequent messages should be identifiable by the email application and thus highlighted.
The value of DKIM will be fully realized when mail applications utilize the signature to recognize prior correspondents. With DKIM and recognition built into email applications, look-alike domain exploits, and other spoofing attempts could become a problem of the past.
Cryptography Requires Auxiliary Defenses
The effort does not end with just the DKIM signature. Cryptographic techniques represent a moderate overhead where messages must be fully received before the validity of a signature can be verified. This means the cryptographic process is somewhat more vulnerable to Denial of Service attacks than schemes that identify sources based upon the readily available IP address or host-name. However, depending upon the IP address may cause collateral blocking when servers are being shared, as they often are.
Fortunately, email already offers a solution for both the Denial of Service attack and collateral blocking. At the beginning of an email exchange session, the host-name of the sending system is provided and can be verified. Establishing a new paradigm that ensures the host-name can be verified will also permit the same name-based reputations used to vet the sources, to also defend the cryptographic process.
What to Expect
It should come as a surprise that a consumer friendly and safe method for using DKIM has been initially supplanted by the SSP authorization scheme. Within the IETF, consensus among current participants is heavily dominated by those that attempted to bring forward the previous IP address authorization schemes. SSP will be their second attempt at the RFC brass ring, and this group is not likely to be dissuaded from their goal of holding the hapless email address domain owner accountable.
Douglas Otis is senior engineer at Network Security Services Group, Trend Micro, Inc. (Cupertino, CA).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Electronic mail address authorization scheme|
|Publication:||Computer Technology Review|
|Date:||Jan 1, 2006|
|Previous Article:||You've got mail (so what are you going to do with it?) A look at the tricky task of email excavation.|
|Next Article:||Leading technology is only half the battle for a reliable disaster recovery solution.|