Am I Who I Say I Am?

A Case for Authenticated Email

Trying to keep some kind of control over the ever-increasing flood of spam email that assaults email servers is a constant battle for email professionals. Whether the spam consists of advertisements for unneeded products and services, come-ons by fake mortgage lenders, shady offers for prescription pharmaceuticals, or outright pornography, the goal of email administrators is to keep all of this junk out of their users' Inbox. The main problem is the classic one of the Dutch boy and the dike: All we can do is try to cover the holes. IT doesn’t own the dike or the huge body of water behind it, and although that water is critical to life, filtering out the pollutants has become a full-time job.

The situation with spam has resulted in a major push for email-server vendors to take up the cause of authenticated email. An authenticated email system authenticates each piece of mail in a way that prevents (or rather, identifies) the spoofing of email headers. Because at least 99.9% of email with unverifiable information in the header fields is spam, an automated mechanism that authenticates message header information would cut down the amount of spam traffic exponentially.

In the Microsoft world, the key mechanism for message authentication is the Sender ID Framework (SIDF). Combining Microsoft’s Caller ID for Email technology and the Sender Policy Framework (developed by POBox.com’s CTO Meng Weng Wong), the first step in Sender ID's authentication process is validating the IP address of the server that sends an email message. Although sender authentication isn't a complete spam solution, it could be a significant aid in stopping phishing attacks. Phishers have become very sophisticated, and in many of the phishing emails I've seen, only a single IP address in the complete header information is a giveaway that the message is a con. Currently, the only way to stop a phishing attack is for potential victims to recognize the attack for what it is and delete the email message. Sender ID could eliminate phisher emails from entering a user's Inbox, eliminating the chance that the user would fall for a well-crafted attack.

Last August, Microsoft hosted approximately 80 members of the Email Service Providers Coalition, a vendor group working on the spam problem, to solicit their feedback and possible buy-in to the Sender ID technology. Many of these vendors have already announced antispam products, and other are waiting for the approval of Sender ID as an Internet Engineering Task Force (IETF) specification. Securing this approval is not a sure thing because the Sender ID Framework includes patented Microsoft technologies, and although the IETF will approve specifications that include patented technology, Microsoft hasn't clarified how it would enforce its patents in regard to the implementation of the SIDF. Without the IETF specification, Sender ID will have a more difficult path to common adoption, but it does have the strength of the proverbial 800-pound gorilla behind it.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish