Welcome!

Containers Expo Blog Authors: Pat Romanski, Liz McMillan, TJ Randall, AppDynamics Blog, Elizabeth White

Related Topics: Containers Expo Blog

Containers Expo Blog: Article

The War on Spam

Update from the Front Lines

The Internet is now indispensable to business at the cost of Internet abuse. Spam cascaded from an annoying trickle to a raging flood of ads, viruses, spyware, and phishing scams that pour into millions of inboxes everyday all over the world. With upwards of 80% of all e-mail traffic now spam, it's no wonder that organizations worldwide are looking for new ways to eradicate this blight. This article will discuss some of the newer developments in the "battle of the inbox."

E-Mail Authenication: SPF, Sender-ID, DomainKeys and IIM

Like traditional mail, e-mail is supposed to have a return address, often called a "bounce address," where undeliverable e-mail is returned. This address isn't always the same as the address of the author, which is called the "from address," just like in the real world where the return address on the envelope doesn't necessarily match the person who sent it.

Spammers fake these addresses since they don't want to pay for servers to handle all the undeliverable spam they send out, which can be in the millions of messages. Many times they make someone else's address the bounce address and the undeliverable e-mails are sent to some innocent bystander, a situation called a "joe job."

To add insult to injury, the bystander is usually blamed for sending the original spam. Spammers like to fake the "from" address, especially when phishing since it makes the message look more realistic to the unsuspecting.

In many ways, the e-mail system is modeled after the real world postal system. Unfortunately, just like real post offices, the return address isn't verified so spammers can fake the bounce and from addresses.

To combat the problem, several authentication schemes are being developed. The most popular ones are SPF or "Sender Permitted From," now renamed "Sender Policy Framework," (http://spf.pobox.com), Microsoft's Sender-ID (www.microsoft.com/senderid/) and Yahoo's DomainKeys (http://antispam.yahoo.com/domainkeys).

They all operate the same way: Domain name owners publish information about their domains in DNS and e-mail receivers check that information against the e-mail they get. For SPF and Sender-ID the information consists of a list of e-mail servers that are authorized to use the owner's domain in the bounce address (for SPF) or the author's address (for SID). For DomainKeys, domain owners digitally sign outgoing e-mail and publish the corresponding public keys in DNS.

The logic behind these techniques is that by having domain owners publish this information, it prevents anyone else from using their domain names without their permission. Receivers can check whether the information in incoming e-mail matches the data published by the domain owners, and can discard non-matching messages as fake.

Software support for e-mail authentication is sketchy. SPF enjoys the widest support, with implementations available for most major MTAs (http://spf.pobox.com/downloads.html).

DomainKeys implementations are also available for most major e-mail software (http://domainkeys.sourceforge.net/) but unlike SPF, most DomainKeys implementations haven't been widely tested. Support for Sender-ID is very slim; even Microsoft won't support Sender-ID in Exchange until the second half of 2005 (http://blogs.msdn.com/exchange/archive/2004/12/22/330184.aspx).

There's no support for SID in any major MTA software except Sendmail (www.sendmail.net/sid-milter/) partly because of licensing issues with Microsoft patents and the collapse of IETF's standardization efforts.

However, the biggest sticking point is not necessarily lack of software support, but lack of participants. Few domain owners publish any records. Without the participation of domain owners, software support is basically useless.

Another issue is the lack of standardization. And there's no resolution in sight because IETF's MARID working group has disintegrated.

Nevertheless, SPF boasts a following of over 200,000 domains publishing SPF records (http://spftools.infinitepenguins.net/register.php).

While both Sender-ID and DomainKeys don't have many participants, they do have some big names such as AOL and Google publishing records and testing them. But compared to the number of domains and the volume of e-mail traffic on the Internet it's insignificant.

At the same time, significant technical and legal issues surround these schemes. SPF requires major changes in mailing lists and only protects the "bounce address," which is pretty thin. Questions have been raised about possible fatal flaws in Sender-ID's key algorithm. Sender-ID's license and patents have legal problems. Forwarding and mailing lists have to be reconfigured or changed. There's insufficient real-world testing and it's unclear these schemes can stand up outside the lab.

Nevertheless, the implementations that are dribbling out are letting organizations experiment. As field test data increases, it's hoped the flaws and technical problems can be resolved, though no technology is mature enough to be deployed in a production environment without pausing over the potential legal and technical issues. Since the protocols may be tweaked and changed many times before a final standard is set, managers must proceed with caution before spending valuable resources. While organizations may seek to protect themselves and rush to deploy these solutions, they must realize that e-mail authentication is only one step in a larger attack on spam.

More Stories By Yakov Shafranovich

VP of a business software startup, former co-chair of Anti-Spam Research Group (ASRG)

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
AI and machine learning disruption for Enterprises started happening in the areas such as IT operations management (ITOPs) and Cloud management and SaaS apps. In 2019 CIOs will see disruptive solutions for Cloud & Devops, AI/ML driven IT Ops and Cloud Ops. Customers want AI-driven multi-cloud operations for monitoring, detection, prevention of disruptions. Disruptions cause revenue loss, unhappy users, impacts brand reputation etc.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get tailored market studies; and more.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility.
Today's workforce is trading their cubicles and corporate desktops in favor of an any-location, any-device work style. And as digital natives make up more and more of the modern workforce, the appetite for user-friendly, cloud-based services grows. The center of work is shifting to the user and to the cloud. But managing a proliferation of SaaS, web, and mobile apps running on any number of clouds and devices is unwieldy and increases security risks. Steve Wilson, Citrix Vice President of Cloud,...