Authentication Schemes Lift the E-mail Veil
High-tech companies are working on technical systems that can verify whether the “From” address of an e-mail has been spoofed. Such a system, if widely adopted by Internet service providers, could make it harder for criminals to “phish,” or send out bogus e-mails that appear to be from banks and other businesses. While these systems may not immediately reduce spam, they will set the stage for future technologies that can do just that, experts say.
There are several proposed schemes for authenticating that a piece of e-mail comes from the domain it purports to be from, says John Thielens, chief technology officer of Tumbleweed Communications, which makes secure-messaging software. All of these are being hotly debated, and an ultimate solution may incorporate more than one of them.
One leading scheme looks at the Internet protocol (IP) address of a message to see where that mail is coming from, and to see whether that information matches the “From” field of the message, Thielens explains. Microsoft’s proposed Sender ID system incorporates this type of approach.
But checking IP addresses has some inherent limitations, says Thielens. “The problem with Sender ID and schemes like that is that since they’re working with IP addresses, they’re limited because of the way e-mail actually flows,” he says, because many messages don’t simply go directly from sender to receiver; they can go through mailing-list distribution servers, forwarding services, and so on. “Techniques like Sender ID that are based on the IP address break in the face of that kind of scenario,” he says.
Another drawback to this solution is the ongoing argument over whether Microsoft will be able to retain patents over some of the Sender ID technology; open-source advocates argue that any scheme that requires patent licensing should not become the standard.
A different way to authenticate a message is by using a cryptological key-based approach, such as Yahoo’s DomainKeys. The ISP that releases an e-mail onto the public Internet applies some form of signature that ties the identity of the sender to the content of the message, Thielens says, and when it arrives at another ISP, specialized software can perform an analysis to ensure that a message goes with a particular e-mail address.
ISPs will ultimately need to implement more than one of these schemes, says Vipul Prakash, chief scientist and founder of Cloudmark, a maker of antispam solutions. For example, given the huge amount of mail sent through Yahoo, “It behooves everyone else to start checking for domain keys,” Prakash says. Likewise the volume of mail sent via Microsoft’s Hotmail means other standards will have to be in place. Prakash notes that there are costs to ISPs of implementing these schemes, both in economic terms (cost of putting in and monitoring new software, for example) and in terms of computing power and network usage.
These concerns were raised in a recent summit held by the Federal Trade Commission (FTC). The meeting included representatives from small businesses, says Paula Bruening, staff counsel at the Center for Democracy and Technology. Their views are not often represented in these discussions, she says. “We heard a lot about challenges that they would face with widespread adoption of e-mail authentication,” she says. “I don’t think that necessarily means that that adoption is not a good idea, but it shone a light on the fact that there are concerns that it raises for smaller players.”
These authentication systems will be good at blocking phishers who rely on hiding their real domains, but they will have little effect on spam, says Scott Chasin, chief technology officer of MX Logic, which makes antispam and content-filtering products. He says spammers will simply circumvent Sender ID by leveraging zombie networks—that is, computers that have been compromised to allow spammers to send spam—to hide their real domains. Or, says Thielens, spammers can simply register a domain and then continue spamming.
The real importance of authentication schemes is that they will lay the groundwork for future systems that will reduce spam. At the FTC summit, Bruening says, “We heard a lot about how e-mail authentication is one tool that enables other technologies to work.” Thielens explains that once it can be established that a message did indeed come from a particular domain, the next step will be to know whether mail from that domain is legitimate or unwanted.
Is that a message I’m really interested in accepting? Is that a legitimate sender of e-mail? Does it conform to the CAN-SPAM Act? Those are among the questions that will be answerable by future accreditation and reputation services that will build on authentication schemes to provide due diligence on domains. That would make it easier to seriously diminish spam, but that’s still far in the future, Chasin says.