Can email ID beat the spammers?
The promise of email authentication is too good to ignore but if it is implemented incorrectly it will break a company's mail system instead of fixing it, experts have cautioned.
Erik Johnson, a secure messaging executive at Bank of America, said in a presentation at the Authentication Summit in Chicago on Wednesday: "Deploy smart. Don't just do it. If you just do it, you may just break it."
For the past two years, the technology industry has been advocating the use of systems to guarantee the identity of email senders. It sees such authentication as key to the fight against spam and phishing, as it should help improve mail filters and make it harder for senders to forge their addresses. The industry also likes to advertise that these systems have practically no cost.
Organisations have been buying into the promise of restoring trust in email. The number of Fortune 500 companies that sent authenticated mail has increased, from seven per cent in July last year to 20 per cent at the end of March 2006, according to Microsoft. The software giant is the main backer of a caller ID-like system for email called Sender ID.
Johnson said: "Setting aside rewriting SMTP, email authentication is the best thing we have today," referring to the Simple Mail Transfer Protocol, the basic technology behind email. Yet adopting sender authentication and managing it is not simple, he said. It took Bank of America six months to deploy the technology.
He said: "It really is not easy to deploy sender authentication right. If you are in a large organisation, you really can't just push the easy button. This requires pretty much constant attention and activity... or else it will break and it will hurt you."
There are two main ways of authenticating email: Sender ID and DomainKeys Identified Mail, or DKIM. Backed by Cisco Systems and Yahoo!, DKIM relies on public key cryptography. It attaches a digital signature to outgoing email, so recipients can verify the message comes from its claimed source.
Sender ID is further along in adoption than DKIM. It requires ISPs, companies and other internet domain holders to publish SPF (Sender Policy Framework) records to identify their mail servers. This usually does not require new hardware or software; the most arduous part is doing an inventory of mail servers and the subsequent maintenance of that record.
David Crocker, the principal at Brandenburg InternetWorking and author of one of the early email standards, said: "The story is that [this type of sender authentication] is cheap to do. That is not true. The ongoing IT cost is huge."
The key problem for large companies is figuring out all the systems that send email on their behalf, said Paul Judge, chief technology officer at email security company CipherTrust. "If you are a large multinational organisation, you may have email gateways in 10 countries, you may have marketing companies that send email on your behalf," he said.
This was a challenge at Bank of America. Johnson said: "You need to really have a comprehensive, holistic look at your entire organisation and know exactly who is sending mail.
"As you move along with implementing authentication... you are going to find that things will break - if some business unit goes ahead and sets up some host to send email and they don't register the hosts with SPF records." The problem is especially acute if email service providers delete all the email that fails an authentication check, he said.
But not all adopters of email authentication face these problems. Dell, for example, did not see a major challenge. Erich Stokes, a systems engineer, said: "There was some housekeeping that needed to be done. Email and SMTP was this great open standard, we just have to be a bit more responsible now."
The challenge of making an inventory of email servers is apparent in the way SPF records are published. More than half of the companies that use SPF fail to tell recipients their list of servers is complete - that is, that there should be no mail coming from other servers, according to CipherTrust. This leaves open a door for spoofers, as email sent from an unidentified server can't just be deleted by filters.
Dean Drako, the CEO of Barracuda Networks, a maker of antispam appliances, said: "We're big proponents of SPF, and all our boxes support it. But we have to recommend to our customers that they do not do any filtering on it, because there are too many false positives." False positives are messages wrongly identified as spam.
The ultimate benefits really are in the future applications of email authentication, attendees at the authentication event agreed. Email security companies are working on accreditation and reputation services for email. These systems look at the email sending habits of a particular domain and include that in the decision as to whether messages should be junked.
Source
0 Comments:
Post a Comment
<< Home