Friday 25 May 2007

Locally-Maintained Reputation

In response to yesterday's blog post, Cisco DE Jim Fenton* wrote:
reputation can be locally-maintained. Local reputation is not as powerful as shared reputation services, but does provide benefit in the short term.
Yes, that's right. Local domain reputation is often expressed in terms of whitelists and blacklists. Without sender authentication, these are notoriously unreliable.

It nicely illustrates one of the benefits of authentication.

For example, users of anti-spam filters sometimes find their colleagues' email in the quarantine, so they add a wildcard whitelist entry for their domain. They soon discover that a significant chunk of spam will have their domain forged into the sender address. Without sender authentication, there's not a lot can be done about this.

However, with sender authentication, you can have a whitelisted domain entry that only allows the message a free pass if the authentication passes -- otherwise the normal spam filtering rules apply.

You could even impose a local policy that says if a message "from" our domain fails authentication, we'll reject it as spam, but this is probably too risky, at least in the early stages of deployment.

* - well, they claimed to be "Jim Fenton" and I assume it's that Jim, but perhaps it was a dog

Thursday 24 May 2007

CNET's Error Explaining DKIM

Declan McCullagh, writing in CNET, makes the standard schoolboy error of assuming that email sender authentication technologies are "antispam techniques."

They're not.

DomainKeys Identified Mail (DKIM) and other sender authentication technologies are simply ways to detect forgeries. At best, they give a partial indication whether a message is spam or not, but their main use is to allow recipients to look up the reputation of the sending domain.

Detecting phishing attacks via sender authentication depends on legitimate senders, such as PayPal, publishing information in the DNS. An email that purports to come from paypal.com can then be verified against that published information.

Of course, this doesn’t stop phishers from using similar domains, such as verify-paypal.com. Many users won't notice the difference. A DKIM test will "pass" because the bad actors own the fraudulent domain.

In other words, DKIM alone is almost useless. That's why we also need domain-level reputation services.

For several years, spam and virus control has been assisted by the use of DNS blacklists (DNSBLs). These list rogue IP addresses and address ranges that have been observed sending spam, viruses, or other undesirable content. The lists are interrogated in real time, usually via a DNS query. Several spam control vendors use a form of DNSBL, known as a reputation service. These provide a professionally run service that rates the reputations of IP addresses—good, bad, or unknown.

So today, we have IP address based reputation services, but not the ability to track and report the reputation of a sending domain. In the future, reputation services will be able to track the reputation of sending domains, as well as of IP addresses. This is not possible today, as the purported sender of a message is too easy to forge.

Email sender authentication techniques such as DKIM thus provide the missing piece of the puzzle, by allowing services to track the reputation of a domain. So, as the use of sender authentication becomes more widespread, reputation services will become more useful.

And with sender authentication becoming more popular, trusted authorities need a standard mechanism to vouch for a domain name. For example, a receiving mail system may be able to use SPF/SIDF or DKIM to verify that an incoming message was sent by example.com, but it currently has no standard way of deciding if it wants to receive email from that company.

The Domain Assurance Council (DAC) plans to solve that problem by publishing reputation or accreditation data about a domain name in a standard form. This standard, called Vouch By Reference (VBR), will create a market for organizations that vouch for domains, allowing its members to compete with minimum friction.

By the way, according to his Politech bio, Declan McCullagh is CNET's chief political correspondent, as well as being a rather good photojournalist.