Email authentication the key to fighting spam, claims security vendor

By Matt Whipp

Posted on 4 Nov 2004 at 16:57

Security vendor Tumbleweed's CEO Jeff Smith said that while email authentication is not a solution to spam in itself, without it current alternative technologies simply don't work.

Back in August, email security company Ciphertrust published a report that found spammers are actively using the latest authentication techniques to ensure spam gets through - simply by complying with the new protocols. So successful were they at this that spam was three times more likely to get through such systems than legitimate email.

However, this should not be the death knell for Sender ID and the like, but rather the wake up call to start implementing authentication standards across the board.

Smith said that authentication is the key to making alternative technologies effective. Without it solutions such as 'whitelists' don't work, they're the ticket into the enterprise,' he said. A whitelist is a list of trusted domains: so if a spammer can spoof the sender address to show such a domain - @microsoft.com, for example - the technique will be redundant. And with 95 per cent of phishing attacks using spoofed from addresses, spammers are no strangers to this.

Reputation services don't work either, claims Smith. For companies that offer their domain as a service it becomes impossible. Most ISPs are perfectly respectable, but if their email addresses are used to send spam messages, the chances are they'll end up with a bad reputation, meaning the rest of their subscribers end up with a bad reputation too.

Blacklists also won't work. They are too open to abuse according to Smith. It only takes one vindictive complaint to be successful to get a company's domain on such a list, and that company can't email anyone with spam software that checks that list for banned domains. Furthermore, in May of this year, self-confessed spam king Scott Richter won a temporary restraining order against anti-spam outfit SpamCop to bar it from including it in its blacklists, for failing to supply contact details of complainants, thus making it impossible to comply with the Can-Spam Act.

'These things won't work until we can authenticate,' said Smith. 'First you authenticate, second you validate and then you can add in reputation services and the like.'

Having said that, agreeing a standard for email authentication has proved difficult. A group set up under the Internet Engineering Task Force to do just this foundered on Microsoft proposals that were patent-pending and required a licence.

Smith described Microsoft's contribution to the 'Sender ID' project as 'complicated', but was upbeat on the outlook of agreeing a single standard for email authentication.

'I think what will come out of this, what will be agreed, is a signature-based approach, using domain-based keys. That is, one key per domain rather than per individual'. Companies can therefore get a single key for all the addresses at their domain, and at a flick of a switch, authenticate the domains of the other companies they deal with.

'What we'll see are two Internets: one authenticated, and one not,' said Smith. 'I expect to see some convergence around signing in the first half of 2005'. And which standard will be used? 'I actually think it will be the Cisco spec that will make it,' says Smith.