E-mail Is Broke! Authentication Can Fix It

May 25, 2006
Despite 1 billion people using e-mail every day and 80% of office workers valuing e-mail above the telephone, no other electronic medium suffers so greatly from abuse. Some 80 billion of the 100 billion e-mails sent each day are spam, ranging from the me

Despite 1 billion people using e-mail every day and 80% of office workers valuing e-mail above the telephone, no other electronic medium suffers so greatly from abuse. Some 80 billion of the 100 billion e-mails sent each day are spam, ranging from the merely irritating to malevolent viruses to thieving phishing. We've had almost 25 years since the invention of e-mail to clean it up, but problems increase.

Among the core problems is message spoofing, which phishing e-mails use to defraud consumers. The example e-mail shown here wasn't sent by eBay, though the e-mail clearly states it was. Unwitting consumers would click on the link, log into a fake eBay.com site to address the fraud issue, and unwittingly provide their eBay login information to a criminal.

To understand this, we need to rewind almost 25 years. E-mail was born in 1982 with the publication of RFC (Request for Comment) 821, "Simple Mail Transfer Protocol." Unfortunately, the technology was created at a time when the ARPA net connected a handful of trusted colleagues. The authors couldn't imagine 1 billion consumers linked by high-speed Internet connections.

The outcome is an e-mail technology that doesn't verify the sender's address in any way. "Senders" can appear to be eBay, Chase Bank, or even irs.gov. This lack of authentication is the root cause of many of today's problems with e-mail.

Phishing is trivial. Spammers damage corporate and personal reputations every day by spoofing domain names. Anti-spam systems can't use these domains to distinguish between good and bad e-mail. And, 10 billion undeliverable bounce messages are misdirected and sent to innocent spoofed domain addresses every day. More than 50% of U.S. enterprises reported an e-mail outage in 2005 just from the volumes of misdirected bounces.

The good news is that some great engineers are working on solutions. The two main solutions being deployed are Sender ID Framework (SIDF) and Domain Keys Identified Mail (DKIM). SIDF is associated with its main sponsor, Microsoft, while DKIM is associated with its primary authors, Yahoo! and Cisco.

SIDF is a path-based technology that authenticates the sending domain based on the network path the e-mail took. The originating IP address defines the network path.

For example, our "eBay" phishing e-mail originated from a dynamic IP address owned by a broadband network provider in Korea. The eBay Sender ID record in the Domain Name System (DNS) lists IP addresses that eBay uses to send e-mail. A quick check shows that the IP address in our example e-mail isn't on eBay's Sender ID record.

DKIM authenticates sending domains based on a cryptographic signature within the e-mail. The eBay phishing e-mail had no DKIM signature, so it's unlikely to have been sent by eBay. When eBay signs all outbound e-mail, we immediately recognize any fraudulent e-mail sent in eBay's name.

Drafts of the SIDF and DKIM specifications have been submitted to the Internet Engineering Task Force (IETF) for approval. Finalization is in progress for both. While authentication technologies move ahead, though, engineers all over the world must help.

First, get involved. Visit the IETF Web site (ietf.org) and search for the latest SIDF and DKIM standards. (Drafts are constantly being updated.) Review them, join the working groups, and lend a hand.

Second, encourage your company to adopt both technologies. While the standards aren't final, the technologies are mature, with 35% of e-mail senders using SIDF and 10% adopting DKIM. Take the time to understand the technology, find an example from your inbox of how the technology can help, and lobby your IT staff to help fix e-mail. Lobby your home ISP while you're at it too!

Finally, encourage responsible e-mail practices. One of the worst practices is accepting large volumes of spoofed e-mail and then bouncing them to innocent parties. Encourage everyone not to toss e-mail trash on the Internet. Instead, put it in dev/null.

See Associated Figure

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!