Email Authentication: Dead Or Alive (Depends On Whose Headline You Read)

from the fun-with-headlines dept

About three years ago, it seemed like all of the big online players decided that email authentication was a good strategy for stopping spam. Of course, as happens all too often with these types of things, everyone came up with their own different standard -- meaning that you have a standards battle where not enough people adopt anything. Then, of course, many people felt that any such basic change to email effectively would break existing systems. Over the years, there's been plenty of talk about email authentication -- but it hasn't helped that the most active users of this supposedly "anti-spam" system are the spammers themselves. So, what's the state of email authentication today? Apparently it depends on whose headline you believe. Security Focus has an article today telling us that E-mail authentication gaining steam, while EmailBattles has their own article claiming: State of E-Mail Authentication: SPF Dead, Others on Life Support. Which story you believe probably reflects how much you've invested in one of these authentication techniques.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    dataguy, Apr 20th, 2006 @ 11:39am

    Glad to see you reference EmailBattles - I really like their work.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    anonymous coward, Apr 20th, 2006 @ 1:24pm

    as a technology-savvy email users knowing nothing about this issue would lead me to come down on the "dead" side.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Andrew, Apr 20th, 2006 @ 1:38pm

    Let's be clear - email authentication was never designed to stop spam. It's a popular misconception. Email authentication is designed to control spoofing. This would greatly reduce (or at least alleviate) 2 things:

    - Phishing scams
    - Joe Jobs

    If you've ever received thousands of bounce back emails because some half wit spammer sent email claiming to be from your address, you'll appreciate why stopping joe jobs is important.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Joe Smith, Apr 20th, 2006 @ 3:41pm

    solutions

    It seems to me that there are only three possible answers to spam:
    1. governments outlaw it and act to enforce the laws.
    2. companies launch class action law suits against the commercial spammers for wasting employees' time with unauthorized and unsolicited emails.
    3. the rest of us donate to a fund to pay organized crime to hunt down and kill the spammers and phishers.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Jacob, Apr 20th, 2006 @ 5:23pm

    RE: solutions

    I'd like to go with choice #3 :D

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Joe Jobs, Apr 20th, 2006 @ 5:56pm

    Re:

    What do you have against me?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Garfiode, Apr 20th, 2006 @ 6:57pm

    Re: solutions

    3# definently. Should only take about 50 boxes of .50 cal ammo to get them all.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Tomasz Andrzej Nidecki, Apr 20th, 2006 @ 11:59pm

    Glad to see SPF is on the downside

    I'm glad that at least some sources notice the problems with SPF, which I've been against for some time now, publishing information about its downsides and lack of effectiveness. Hope that all ISPs notice, that all solutions for server-side authentications are faulty by nature, and that someone at last realizes that the best method for authentication is for users to use personal e-mail certificates, which are available for free from many sources.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Hahaha, Apr 21st, 2006 @ 3:05am

    Re: Re:

    Re: by Joe Jobs on Apr 20th, 2006 @ 5:56pm What do you have against me?
    ROFLROFL

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Apr 21st, 2006 @ 4:01am

    These proposals have nothing to do with stopping s

    ...and everything to do with facilitating the creation of "walled gardens" for email, a la AOL's old business model. It's not surprising that spammers were the earliest adopters: OF COURSE they were, it's exactly what was predicted as soon as these idiotic proposals were put forth. The problem for the proponents, of course, is that having sunk so much of their time/credibility into these, they can't simply admit that they're enormous mistakes and walk away; no, they have to keep flogging them while simultaneously ignoring any number of clearly superior methods that have already been proven in the field.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Apr 21st, 2006 @ 4:08am

    Re: misconception

    If it's a misconception, and I'll certainly grant that it is, then whose fault is it that the misconception exists?

    "Spam as a technical is solved by SPF".

    That statement was on the home page of the SPF for some time -- it was quietly removed, without a public retraction, a while ago.

    Similar statements have been made by the proponents of other schemes. Of course they are: email forgery is at most a minor problem and always has been, so nobody needs or wants to care about it. But spam? Oh, spam is a major problem, so one way to attract a lot of press is to grandly pronounce that The Answer is at hand...even when it's obvious to everyone with any technical clue that anti-forgery technologies (a) have no anti-spam value and (b) are trivial to subvert. [The latter being especially true in a world with an estimated 100M zombies -- since the new masters of those systems have full access to any email authentication credentials possessed by their former owners.]

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    rick, Apr 21st, 2006 @ 8:11am

    Switch to encrypted email by default.

    II've said it before and I'll say it again. If we switched to encrypted
    email by default, joe jobs, authentication, and to some degree spam
    would be controlled.

    Publish your public keys either on your personal web site, in your
    signature, in public/private directories.

    Snail mail equivalents;
    1st Class - Signed/encrypted
    2nd-class - Signed
    Bulk-Rate - Unsigned / unencrypted.

    The more you value your privacy/hate spam the longer your encryption
    key. The longer your encryption key, the more processor time it takes
    to sign/encrypt email to you. (as a side benefit, the harder for people
    to snoop on you). Can anyone speculate on the time/processor power to
    send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?

    If you value your privacy/time/bandwidth then either sort by class or
    reject (at the local level of course, NOT at the ISP level) certain
    classes. Perhaps you only accept 1st class email. Maybe 1st class is
    ok, second class gets filtered and bulk rate goes into the 'Junk mail'
    folder.

    Current problems with this idea, NSA/FBI/CIA etc. Google/Yahoo/AOL etc.
    The powers that be like the fact that most email is unsigned
    unencrypted plain text.

    What's common about the current plans like "DomainKeys Identified Mail".

    It's centrally located, the power is with the provider, not with the
    individual.

    It's still in plain text, so every one knows what you're writing about.

    It authenticates the mail server, not the individual. So if I'm at
    Alice@aol.com and I send mail pretending I'm from Bob@aol.com, then I
    can authentically state that the email from AOL.com actually came from
    an account at AOL.com. As email servers consolidate how does that help
    you? If your email is processed by Verizon, AOL, Earthlink, you are ok.
    If instead it's processed by Local Coop Inc., the ladies auxiliary, the
    Free China Society, or heaven forbid, your own server. Well obviously
    it doesn't come with the large corporate/government seal of approval,
    it MUST be bad/evil/subversive/spam.

    Spam works because it doesn't cost the sender near enough, and some
    small percentage of people actually bite. We need to increase the cost
    of sending thousands of emails without increasing the cost of sending
    tens of emails. The cost increase can't be in dollars, because then
    only the rich would be able to send email. We can't limit/consolidate
    the control of email sending, because then only 'approved' people would
    be able to send 'approved' messages. It shouldn't impact the current
    infrastructure because then it wouldn't get implemented.

    Default encrypted email; local control, authenticates the individual (or
    company/origination), increases the cost to Spammers without undually burdening individual emails or non-profits. Keeps your neighbor/the government/corporate interests from reading your email. Requires little if any change to the current email infrastructure.

    rick
    jilocain0@yahoo.com

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    rick, Apr 21st, 2006 @ 8:13am

    Switch to encrypted email by default.

    II've said it before and I'll say it again. If we switched to encrypted
    email by default, joe jobs, authentication, and to some degree spam
    would be controlled.

    Publish your public keys either on your personal web site, in your
    signature, in public/private directories.

    Snail mail equivalents;
    1st Class - Signed/encrypted
    2nd-class - Signed
    Bulk-Rate - Unsigned / unencrypted.

    The more you value your privacy/hate spam the longer your encryption
    key. The longer your encryption key, the more processor time it takes
    to sign/encrypt email to you. (as a side benefit, the harder for people
    to snoop on you). Can anyone speculate on the time/processor power to
    send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?

    If you value your privacy/time/bandwidth then either sort by class or
    reject (at the local level of course, NOT at the ISP level) certain
    classes. Perhaps you only accept 1st class email. Maybe 1st class is
    ok, second class gets filtered and bulk rate goes into the 'Junk mail'
    folder.

    Current problems with this idea, NSA/FBI/CIA etc. Google/Yahoo/AOL etc.
    The powers that be like the fact that most email is unsigned
    unencrypted plain text.

    What's common about the current plans like "DomainKeys Identified Mail".

    It's centrally located, the power is with the provider, not with the
    individual.

    It's still in plain text, so every one knows what you're writing about.

    It authenticates the mail server, not the individual. So if I'm at
    Alice@aol.com and I send mail pretending I'm from Bob@aol.com, then I
    can authentically state that the email from AOL.com actually came from
    an account at AOL.com. As email servers consolidate how does that help
    you? If your email is processed by Verizon, AOL, Earthlink, you are ok.
    If instead it's processed by Local Coop Inc., the ladies auxiliary, the
    Free China Society, or heaven forbid, your own server. Well obviously
    it doesn't come with the large corporate/government seal of approval,
    it MUST be bad/evil/subversive/spam.

    Spam works because it doesn't cost the sender near enough, and some
    small percentage of people actually bite. We need to increase the cost
    of sending thousands of emails without increasing the cost of sending
    tens of emails. The cost increase can't be in dollars, because then
    only the rich would be able to send email. We can't limit/consolidate
    the control of email sending, because then only 'approved' people would
    be able to send 'approved' messages. It shouldn't impact the current
    infrastructure because then it wouldn't get implemented.

    Default encrypted email; local control, authenticates the individual (or
    company/origination), increases the cost to Spammers without undually burdening individual emails or non-profits. Keeps your neighbor/the government/corporate interests from reading your email. Requires little if any change to the current email infrastructure.

    rick
    jilocain0@yahoo.com

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Apr 21st, 2006 @ 10:19am

    Encryption is mostly useless, for at least three r

    Can anyone speculate on the time/processor power to send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?"

    First reason: spammers have access to (essentially) unlimited CPU resources. (See "100M zombies" above.) Attempting to slow them down by imposing computational burdens on them is a guaranteed-losing strategy.

    Second reason: suppose such a scheme was widely deployed. Spammers could merely "harvest" the private keys used/stored on any of those 100M systems and then not only spam, but create considerable damage, by sending it signed not as themselves, but as the users in question.

    Third reason: suppose such a scheme was widely deployed. How can a receiving MTA verify that an incoming message was correctly encrypted? Answer: it can't. It doesn't possess the private key. It has to deliver it to the user's mailbox, where it will subsequently be retrieved via POP or IMAP, so that something running in the user's MUA -- and which knows the user's private key -- can vet the message. Which means that most of the damage has already been done: bandwidth, CPU and disk have already been wasted accepting, processing, and storing a message which turns out to be spam.

    There's more, but the bottom line is that encryption is not any kind of an answer to the spam problem because the spam problem is NOT an authentication problem.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    nan, Apr 21st, 2006 @ 2:05pm

    multiple email needs is where it's at

    I think authentication by itself hasn't been compelling enough, but combine it with the needs for encryption and access controls over email, and it all makes a little more sense. There is software available for desktops that authenticates senders and recipients on top of providing users the ability to assign access controls to prevent unauthorized forwarding... http://www.essentialsecurity.com/features.htm

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Apr 21st, 2006 @ 7:32pm

    What we have here...

    ....is failure to communicate.

    What those of you advocating various cryptographic measures continue to miss is that an attacker is in COMPLETE control of an end-user's system -- and thus able to, oh, install a keystroke logger for example -- and transparently forge anything they like.

    As a result, all your proposed solutions based on cryptography are completely worthless. Until, that is, all of those 100M plus systems out there that are already in a known-compromised state are rebuilt from original distribution media AND kept from being compromised again.

    Good luck with that.

    The sad truth is that in 2006, a large chunk of the spam problem reduces to a Windows security problem, and that is not a problem for which there is any known solution -- other than "format:c" following by a re-install (which, BTW, is now the recommended solution from the vendor).

    Nothing short of that will do. Yet it is seldom done. And even when it is, the effect is often temporary.

    For further reading, please consult You might be an anti-spam kook if... which enumerates any number of known-failed (yet frequently proposed) approaches to "solving" the spam problem. If you are not fully acquainted with that entire list and able to explain in detail why all of those approaches are utterly doomed, then you will most certainly not be capable of coming up with any ideas that have the slightest chance of success.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Bar Nelson Dominic, Sep 4th, 2007 @ 4:00am

    Hello,

    Hello,
    I am Bar Nelson Dominic
    A Canadian Attorney based in Manchester, United Kingdom and the personal attorney to Late Mr. Mark Michelle a citizen of France. Late Mr. Mark Michelle was a private oil consultant/ contractor with the Shell Petroleum Development Company in Saudi Arabia before his death, hereinafter shall be referred to as my client.Unfortunate, my client with his wife and three children lost their life in plane clash in 2003. My several attempts to locate any of his relatives as directed by his Bank became void. I had make enquires with his country Embassy and non of his relatives have been traced. It

    may interest you to know that my client died "in testate". PROPOSITION: I decided to contact you purely on the personal conviction of trust and confidence that we can co-operate with each other and do a very lucrative business for our mutual benefit. I want you to give me the needed assistance by allowing me to present you as the next of kin to the deceased and the beneficiary to his estate. The deceased had a deposit valued presently at (GBP 45,800,000.00) and his Bank has issued me a notice to provide his next of kin or beneficiary by will, otherwise the account would be confiscated. Already, i have marked out modalities for achieving my aim of appointing a next of kin as well as transfer the money out of this country, for us to share the money in the ratio of 53% for me and 35% to you, The 2% of the fund will serve as

    reimbursement of expenses both local and international any of us will make in the course of this transaction. While we shall collectively donate the remaining balance of 10% to Tsunami Relief Organizations. It is my intention to achieve this transfer in a legitimate way, all I required is your honest co-operation, and confidentiality and trust to enable us see this transaction through. This is a very legal business that I am very sure of its success and is absolutely risk free. If this proposal is acceptable to you, kindly email following information’s to me;
    1. Private telephone number and fax number.
    2. Your residential address.
    3. Identification / occupation.
    Further details await you upon a positive response from you

    Yours faithfully,

    Bar Nelson Dominic

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Bar Nelson Dominic, Sep 4th, 2007 @ 4:11am

    Hello,

    Hello,
    I am Bar Nelson Dominic
    A Canadian Attorney based in Manchester, United Kingdom and the personal attorney to Late Mr. Mark Michelle a citizen of France. Late Mr. Mark Michelle was a private oil consultant/ contractor with the Shell Petroleum Development Company in Saudi Arabia before his death, hereinafter shall be referred to as my client.Unfortunate, my client with his wife and three children lost their life in plane clash in 2003. My several attempts to locate any of his relatives as directed by his Bank became void. I had make enquires with his country Embassy and non of his relatives have been traced. It

    may interest you to know that my client died "in testate". PROPOSITION: I decided to contact you purely on the personal conviction of trust and confidence that we can co-operate with each other and do a very lucrative business for our mutual benefit. I want you to give me the needed assistance by allowing me to present you as the next of kin to the deceased and the beneficiary to his estate. The deceased had a deposit valued presently at (GBP 45,800,000.00) and his Bank has issued me a notice to provide his next of kin or beneficiary by will, otherwise the account would be confiscated. Already, i have marked out modalities for achieving my aim of appointing a next of kin as well as transfer the money out of this country, for us to share the money in the ratio of 53% for me and 35% to you, The 2% of the fund will serve as

    reimbursement of expenses both local and international any of us will make in the course of this transaction. While we shall collectively donate the remaining balance of 10% to Tsunami Relief Organizations. It is my intention to achieve this transfer in a legitimate way, all I required is your honest co-operation, and confidentiality and trust to enable us see this transaction through. This is a very legal business that I am very sure of its success and is absolutely risk free. If this proposal is acceptable to you, kindly email following information’s to me;
    1. Private telephone number and fax number.
    2. Your residential address.
    3. Identification / occupation.
    Further details await you upon a positive response from you

    Yours faithfully,

    Bar Nelson Dominic

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This