Email Authentication: Dead Or Alive (Depends On Whose Headline You Read)
from the fun-with-headlines dept
About three years ago, it seemed like all of the big online players decided that email authentication was a good strategy for stopping spam. Of course, as happens all too often with these types of things, everyone came up with their own different standard — meaning that you have a standards battle where not enough people adopt anything. Then, of course, many people felt that any such basic change to email effectively would break existing systems. Over the years, there’s been plenty of talk about email authentication — but it hasn’t helped that the most active users of this supposedly “anti-spam” system are the spammers themselves. So, what’s the state of email authentication today? Apparently it depends on whose headline you believe. Security Focus has an article today telling us that E-mail authentication gaining steam, while EmailBattles has their own article claiming: State of E-Mail Authentication: SPF Dead, Others on Life Support. Which story you believe probably reflects how much you’ve invested in one of these authentication techniques.
Comments on “Email Authentication: Dead Or Alive (Depends On Whose Headline You Read)”
Glad to see you reference EmailBattles – I really like their work.
as a technology-savvy email users knowing nothing about this issue would lead me to come down on the “dead” side.
Let’s be clear – email authentication was never designed to stop spam. It’s a popular misconception. Email authentication is designed to control spoofing. This would greatly reduce (or at least alleviate) 2 things:
– Phishing scams
– Joe Jobs
If you’ve ever received thousands of bounce back emails because some half wit spammer sent email claiming to be from your address, you’ll appreciate why stopping joe jobs is important.
Re: Re:
What do you have against me?
Re: Re: Re:
Re: misconception
If it’s a misconception, and I’ll certainly grant that it is, then whose
fault is it that the misconception exists?
“Spam as a technical is solved by SPF”.
That statement was on the home page of the SPF for some time —
it was quietly removed, without a public retraction, a while ago.
Similar statements have been made by the proponents of other
schemes. Of course they are: email forgery is at most
a minor problem and always has been, so nobody needs or wants
to care about it. But spam? Oh, spam is a major problem, so one
way to attract a lot of press is to grandly pronounce that The Answer
is at hand…even when it’s obvious to everyone with any technical
clue that anti-forgery technologies (a) have no anti-spam value
and (b) are trivial to subvert. [The latter being especially true in a
world with an estimated 100M zombies — since the new masters of
those systems have full access to any email authentication credentials
possessed by their former owners.]
solutions
It seems to me that there are only three possible answers to spam:
1. governments outlaw it and act to enforce the laws.
2. companies launch class action law suits against the commercial spammers for wasting employees’ time with unauthorized and unsolicited emails.
3. the rest of us donate to a fund to pay organized crime to hunt down and kill the spammers and phishers.
Re: solutions
3# definently. Should only take about 50 boxes of .50 cal ammo to get them all.
RE: solutions
I’d like to go with choice #3 😀
Glad to see SPF is on the downside
I’m glad that at least some sources notice the problems with SPF, which I’ve been against for some time now, publishing information about its downsides and lack of effectiveness. Hope that all ISPs notice, that all solutions for server-side authentications are faulty by nature, and that someone at last realizes that the best method for authentication is for users to use personal e-mail certificates, which are available for free from many sources.
These proposals have nothing to do with stopping s
…and everything to do with facilitating the creation of “walled gardens”
for email, a la AOL’s old business model. It’s not surprising that spammers
were the earliest adopters: OF COURSE they were, it’s exactly what was
predicted as soon as these idiotic proposals were put forth. The problem for
the proponents, of course, is that having sunk so much of their time/credibility
into these, they can’t simply admit that they’re enormous mistakes and walk
away; no, they have to keep flogging them while simultaneously ignoring
any number of clearly superior methods that have already been proven
in the field.
Switch to encrypted email by default.
II’ve said it before and I’ll say it again. If we switched to encrypted
email by default, joe jobs, authentication, and to some degree spam
would be controlled.
Publish your public keys either on your personal web site, in your
signature, in public/private directories.
Snail mail equivalents;
1st Class – Signed/encrypted
2nd-class – Signed
Bulk-Rate – Unsigned / unencrypted.
The more you value your privacy/hate spam the longer your encryption
key. The longer your encryption key, the more processor time it takes
to sign/encrypt email to you. (as a side benefit, the harder for people
to snoop on you). Can anyone speculate on the time/processor power to
send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?
If you value your privacy/time/bandwidth then either sort by class or
reject (at the local level of course, NOT at the ISP level) certain
classes. Perhaps you only accept 1st class email. Maybe 1st class is
ok, second class gets filtered and bulk rate goes into the ‘Junk mail’
folder.
Current problems with this idea, NSA/FBI/CIA etc. Google/Yahoo/AOL etc.
The powers that be like the fact that most email is unsigned
unencrypted plain text.
What’s common about the current plans like “DomainKeys Identified Mail”.
It’s centrally located, the power is with the provider, not with the
individual.
It’s still in plain text, so every one knows what you’re writing about.
It authenticates the mail server, not the individual. So if I’m at
Alice@aol.com and I send mail pretending I’m from Bob@aol.com, then I
can authentically state that the email from AOL.com actually came from
an account at AOL.com. As email servers consolidate how does that help
you? If your email is processed by Verizon, AOL, Earthlink, you are ok.
If instead it’s processed by Local Coop Inc., the ladies auxiliary, the
Free China Society, or heaven forbid, your own server. Well obviously
it doesn’t come with the large corporate/government seal of approval,
it MUST be bad/evil/subversive/spam.
Spam works because it doesn’t cost the sender near enough, and some
small percentage of people actually bite. We need to increase the cost
of sending thousands of emails without increasing the cost of sending
tens of emails. The cost increase can’t be in dollars, because then
only the rich would be able to send email. We can’t limit/consolidate
the control of email sending, because then only ‘approved’ people would
be able to send ‘approved’ messages. It shouldn’t impact the current
infrastructure because then it wouldn’t get implemented.
Default encrypted email; local control, authenticates the individual (or
company/origination), increases the cost to Spammers without undually burdening individual emails or non-profits. Keeps your neighbor/the government/corporate interests from reading your email. Requires little if any change to the current email infrastructure.
rick
jilocain0@yahoo.com
Switch to encrypted email by default.
II’ve said it before and I’ll say it again. If we switched to encrypted
email by default, joe jobs, authentication, and to some degree spam
would be controlled.
Publish your public keys either on your personal web site, in your
signature, in public/private directories.
Snail mail equivalents;
1st Class – Signed/encrypted
2nd-class – Signed
Bulk-Rate – Unsigned / unencrypted.
The more you value your privacy/hate spam the longer your encryption
key. The longer your encryption key, the more processor time it takes
to sign/encrypt email to you. (as a side benefit, the harder for people
to snoop on you). Can anyone speculate on the time/processor power to
send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?
If you value your privacy/time/bandwidth then either sort by class or
reject (at the local level of course, NOT at the ISP level) certain
classes. Perhaps you only accept 1st class email. Maybe 1st class is
ok, second class gets filtered and bulk rate goes into the ‘Junk mail’
folder.
Current problems with this idea, NSA/FBI/CIA etc. Google/Yahoo/AOL etc.
The powers that be like the fact that most email is unsigned
unencrypted plain text.
What’s common about the current plans like “DomainKeys Identified Mail”.
It’s centrally located, the power is with the provider, not with the
individual.
It’s still in plain text, so every one knows what you’re writing about.
It authenticates the mail server, not the individual. So if I’m at
Alice@aol.com and I send mail pretending I’m from Bob@aol.com, then I
can authentically state that the email from AOL.com actually came from
an account at AOL.com. As email servers consolidate how does that help
you? If your email is processed by Verizon, AOL, Earthlink, you are ok.
If instead it’s processed by Local Coop Inc., the ladies auxiliary, the
Free China Society, or heaven forbid, your own server. Well obviously
it doesn’t come with the large corporate/government seal of approval,
it MUST be bad/evil/subversive/spam.
Spam works because it doesn’t cost the sender near enough, and some
small percentage of people actually bite. We need to increase the cost
of sending thousands of emails without increasing the cost of sending
tens of emails. The cost increase can’t be in dollars, because then
only the rich would be able to send email. We can’t limit/consolidate
the control of email sending, because then only ‘approved’ people would
be able to send ‘approved’ messages. It shouldn’t impact the current
infrastructure because then it wouldn’t get implemented.
Default encrypted email; local control, authenticates the individual (or
company/origination), increases the cost to Spammers without undually burdening individual emails or non-profits. Keeps your neighbor/the government/corporate interests from reading your email. Requires little if any change to the current email infrastructure.
rick
jilocain0@yahoo.com
Encryption is mostly useless, for at least three r
Can anyone speculate on the time/processor power to
send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?”
First reason: spammers have access to (essentially) unlimited CPU resources.
(See “100M zombies” above.) Attempting to slow them down by imposing
computational burdens on them is a guaranteed-losing strategy.
Second reason: suppose such a scheme was widely deployed. Spammers
could merely “harvest” the private keys used/stored on any of those 100M
systems and then not only spam, but create considerable damage, by sending
it signed not as themselves, but as the users in question.
Third reason: suppose such a scheme was widely deployed. How can
a receiving MTA verify that an incoming message was correctly
encrypted? Answer: it can’t. It doesn’t possess the private key. It has
to deliver it to the user’s mailbox, where it will subsequently be
retrieved via POP or IMAP, so that something running in the user’s
MUA — and which knows the user’s private key — can vet the message.
Which means that most of the damage has already been done: bandwidth,
CPU and disk have already been wasted accepting, processing, and
storing a message which turns out to be spam.
There’s more, but the bottom line is that encryption is not any kind of
an answer to the spam problem because the spam problem is NOT an
authentication problem.
multiple email needs is where it's at
I think authentication by itself hasn’t been compelling enough, but combine it with the needs for encryption and access controls over email, and it all makes a little more sense. There is software available for desktops that authenticates senders and recipients on top of providing users the ability to assign access controls to prevent unauthorized forwarding… http://www.essentialsecurity.com/features.htm
What we have here...
….is failure to communicate.
What those of you advocating various cryptographic measures continue
to miss is that an attacker is in COMPLETE control of an
end-user’s system — and thus able to, oh, install a keystroke logger
for example — and transparently forge anything they like.
As a result, all your proposed solutions based on cryptography are
completely worthless. Until, that is, all of those 100M plus systems
out there that are already in a known-compromised state are rebuilt
from original distribution media AND kept from being compromised
again.
Good luck with that.
The sad truth is that in 2006, a large chunk of the spam problem
reduces to a Windows security problem, and that is not a problem
for which there is any known solution — other than “format:c”
following by a re-install (which, BTW, is now the recommended
solution from the vendor).
Nothing short of that will do. Yet it is seldom done. And
even when it is, the effect is often temporary.
For further reading, please consult
You might be an anti-spam kook if…
which enumerates any number of known-failed (yet frequently
proposed) approaches to “solving” the spam problem.
If you are not fully acquainted with that entire list and able to
explain in detail why all of those approaches are utterly doomed,
then you will most certainly not be capable of coming up with
any ideas that have the slightest chance of success.
Hello,
Hello,
I am Bar Nelson Dominic
A Canadian Attorney based in Manchester, United Kingdom and the personal attorney to Late Mr. Mark Michelle a citizen of France. Late Mr. Mark Michelle was a private oil consultant/ contractor with the Shell Petroleum Development Company in Saudi Arabia before his death, hereinafter shall be referred to as my client.Unfortunate, my client with his wife and three children lost their life in plane clash in 2003. My several attempts to locate any of his relatives as directed by his Bank became void. I had make enquires with his country Embassy and non of his relatives have been traced. It
may interest you to know that my client died “in testate”. PROPOSITION: I decided to contact you purely on the personal conviction of trust and confidence that we can co-operate with each other and do a very lucrative business for our mutual benefit. I want you to give me the needed assistance by allowing me to present you as the next of kin to the deceased and the beneficiary to his estate. The deceased had a deposit valued presently at (GBP 45,800,000.00) and his Bank has issued me a notice to provide his next of kin or beneficiary by will, otherwise the account would be confiscated. Already, i have marked out modalities for achieving my aim of appointing a next of kin as well as transfer the money out of this country, for us to share the money in the ratio of 53% for me and 35% to you, The 2% of the fund will serve as
reimbursement of expenses both local and international any of us will make in the course of this transaction. While we shall collectively donate the remaining balance of 10% to Tsunami Relief Organizations. It is my intention to achieve this transfer in a legitimate way, all I required is your honest co-operation, and confidentiality and trust to enable us see this transaction through. This is a very legal business that I am very sure of its success and is absolutely risk free. If this proposal is acceptable to you, kindly email following information’s to me;
1. Private telephone number and fax number.
2. Your residential address.
3. Identification / occupation.
Further details await you upon a positive response from you
Yours faithfully,
Bar Nelson Dominic
Hello,
Hello,
I am Bar Nelson Dominic
A Canadian Attorney based in Manchester, United Kingdom and the personal attorney to Late Mr. Mark Michelle a citizen of France. Late Mr. Mark Michelle was a private oil consultant/ contractor with the Shell Petroleum Development Company in Saudi Arabia before his death, hereinafter shall be referred to as my client.Unfortunate, my client with his wife and three children lost their life in plane clash in 2003. My several attempts to locate any of his relatives as directed by his Bank became void. I had make enquires with his country Embassy and non of his relatives have been traced. It
may interest you to know that my client died “in testate”. PROPOSITION: I decided to contact you purely on the personal conviction of trust and confidence that we can co-operate with each other and do a very lucrative business for our mutual benefit. I want you to give me the needed assistance by allowing me to present you as the next of kin to the deceased and the beneficiary to his estate. The deceased had a deposit valued presently at (GBP 45,800,000.00) and his Bank has issued me a notice to provide his next of kin or beneficiary by will, otherwise the account would be confiscated. Already, i have marked out modalities for achieving my aim of appointing a next of kin as well as transfer the money out of this country, for us to share the money in the ratio of 53% for me and 35% to you, The 2% of the fund will serve as
reimbursement of expenses both local and international any of us will make in the course of this transaction. While we shall collectively donate the remaining balance of 10% to Tsunami Relief Organizations. It is my intention to achieve this transfer in a legitimate way, all I required is your honest co-operation, and confidentiality and trust to enable us see this transaction through. This is a very legal business that I am very sure of its success and is absolutely risk free. If this proposal is acceptable to you, kindly email following information’s to me;
1. Private telephone number and fax number.
2. Your residential address.
3. Identification / occupation.
Further details await you upon a positive response from you
Yours faithfully,
Bar Nelson Dominic