E-Mail authentication fight looming: Microsoft pushing Sender ID

Douglas Otis dotis at mail-abuse.org
Wed Jul 6 20:48:36 UTC 2005


On Wed, 2005-07-06 at 15:23 -0400, Rich Kulawiec wrote:
> [late followup, sorry]
> 
> On Thu, Jun 23, 2005 at 05:42:17AM -0700, Dave Crocker wrote:
> > The real fight is to find ANY techniques that have long-term, global 
> > benefit in reducing spam.
> 
> We've already got them -- we've always had them.  What we lack is
> the guts to *use* them.
> 
> As we've seen over and over again, the one and only technique that has
> ever worked (and that I think ever *will* work) is the boycott --
> whether enforced via the use of DNSBLs or RHSBLs or local blacklists or
> firewalls or whatever mechanism.  It works for a simple reason: it makes
> the spam problem the problem of the originator(s), not the recipient(s).
> It forces them to either fix their broken operation (any network which
> persisently emits or supports spam/abuse is broken) or find themselves
> running an intranet.

The looming battle is not about a reluctance to utilize reputation.
This "authentication" effort is a shift from using the remote IP address
into utilizing the domain name.  This changes the nature of how
reputation affects shared servers.  A name is more specific, and at the
same time, more pervasive.  This change to the use of domains is
progress.

However, path registration is really just an "authorization" mechanism.
Calling this an "authentication" mechanism presumes the domain owner
enjoys exclusive use of their domain on the server.  While this may
satisfy the typical bulk email distributor, the average domain owner may
discover they remain prone to forgery.  Such domain owners may also be
harmed publishing server authorization in this case, while creating a
support nightmare.

The user-feedback reputation schemes suggested overlook the uncertainty
created when which header or parameter being assured by the sender is
unknown, or when domain exclusivity is not maintained at the server.  In
an era where networks are often populated by zombie systems, this
oversight is troubling.  Unless the domain owner administers their own
servers, and doesn't expect messages to forwarded accounts not to be
lost, then they should consider using a signature based alternative
instead.  In addition, signatures will likely represent less overhead
than path registration.

Path registration, due to the need to place higher priority on unseen
headers, will not offer effective anti-phishing solutions either.
Signature based alternatives again hold greater promise for
anti-phishing as well.  There are few email recipients that do not use
various types of black-hole lists.  As this battle shifts into using
domain names, be careful.  Make sure you can defend your domain's
reputation.  If not, a name-based reputation system directing your
domain's email to a "junk" folder will having you longing for the good
ol' days of black-hole lists.

-Doug








More information about the NANOG mailing list