Spam and its evil offshoot, phishing, have become growing problems on the Internet. Not only has spam become a nuisance with its frequently offensive subject matter, but it is consuming increasing amounts of bandwidth. According to a report released by the United Nations Conference on Trade and Development, an estimated 50 percent of all e-mail in 2003 was spam, which may have chewed up US$20.5 billion in technical resources.
Spam’s annoying properties, though, take a back seat to its nefarious ones. Unsolicited e-mail is the chief means for spreading viruses and other malware on the Web. As much as 47 percent of all electronic junk mail in China alone, for example, contains viruses.
And use of spam for phishing expeditions threatens to undermine the integrity and permanently cripple the use of e-mail itself. Phishing involves the mass distribution of “spoofed” e-mail messages with return addresses, links and branding that appear to originate from banks, insurance agencies, retailers or credit card companies. The bogus messages are used to pry from their recipients personal information, such as account information, credit card or social security numbers, and PINs. Because the e-mails appear genuine, recipients respond to them and become victims of identity theft and other fraudulent activity.
There are many ways to thwart spammers — all varying in degrees of effectiveness — but if a lethal blow is to be delivered to these miscreants, it probably will result from the widespread use of authentication. All authentication does is ensure that a message received by you is from whom it says it’s from.
Although simple in concept, authentication is much more complicated in implementation. For an explanation of the issues surrounding authentication, TechNewsWorld conducted an exclusive interview with Ken Beer, product management director at Tumbleweed Communications in Redwood, California, a firm that specializes in secure Internet messaging software for enterprises — both commercial and government.
TechNewsWorld: Why is e-mail authentication important?
Ken Beer: There are two parties interested in knowing who e-mail is from. There’s the actual recipient. Why does the recipient need to know? Because the e-mail may be asking them to take some action. So the recipient needs to know if the action is legitimate. Because of the way the SMTP protocol is designed, I can put whatever I want inside the header and have whatever content I want. There’s no real good way to prove that the address inside the header is bound to the person who should own it. On top of that, you can’t find the identity of the sender of the content.
The people who manage the e-mail infrastructure also want to know who e-mail is from because they want to use that as a discriminating filter to block spam. Spammers take advantage of this loophole in SMTP to hide their identities. If infrastructure managers could do a test on a piece of e-mail and determine that the sender’s address is legitimate, then they could pass it through some additional content heuristics to determine if it’s spam. But if the address is illegitimate, then they can just drop it on the floor because there’s no real need to pass it along.
If you look at the really big e-mail processors — Yahoo, Hotmail, AOL — they’re all about trying to solve this problem because they think they can drop 30 to 60 percent of all inbound mail and not have to worry about storing it on their servers and pushing it to their end users.
TNW: Isn’t a big concern with using authentication schemes that the wrong mail will end up on the floor? Isn’t a lot of mail already dropped?
Beer: Yes, a lot of mail is dropped. That’s because of the “false positive” problem — for whatever reason, legitimate e-mail gets dropped or quarantined or delayed. That’s a huge problem. It’s the number one problem facing antispam vendors today because large enterprises can’t afford to have any false positives.
Sender authentication can solve a lot of the false positive problems. Today, a lot of the inbound filters will use the concept of whitelists and blacklists. The problem with a whitelist is that it searches for a string of characters. What spammers do is just take legitimate e-mail addresses and stick them in the “from” address in a message header.
To make a whitelist effective, you need to prove that mail that says it came from someone in fact came from [that person]. One of the promises of sender authentication is to improve the effectiveness of whitelists.
TNW: What barriers exist to widespread adoption of e-mail authentication?
Beer: There are two categories of barriers. The first is that both senders and recipients have to agree to use the same protocol. Because we have such a heterogeneous environment for e-mail infrastructure vendors, people are waiting for those vendors to agree on standards and to put those standards into their software.
To add to the confusion, you have three different authentication schemes from three of the largest e-mail processors. That’s created the perception that there’s a battle, that the schemes are mutually exclusive, so people are waiting for things to settle down.
TNW: What about the existing scheme of digital certificates? That’s been around for years, but it hasn’t gained any traction.
Beer: Right now, when you’re talking about e-mail, you’re essentially talking about two parties — the sender and the recipient. When you talk about certificates, you’re introducing a third party. Those third parties have seen issuing certificates as a means of making money. VeriSign introduced the service in the mid- to late eighties, but people weren’t sure they wanted to spend money to do that.
Then the model moved to the enterprise. The vendors delegated the authority to businesses to issue certificates to their employees. That model took off in financial services and government.
But that created these islands of trust. A certificate will work with the servers of the company that issued it, but when it’s received by someone else’s server, they may have trouble verifying the certificate. That really slowed down the use of certificates for Internet e-mail.
You have to remember, too, that when these certificates first began to appear, the issuing authorities pushed them as a secure way to do e-mail. That meant encryption. The steps to do that were pretty convoluted. None of the technology vendors could figure out a way to make it transparent.
TNW: Why do you think S/MIME offers a way out of the current digital certificate quandary?
Beer: With S/MIME, the process of applying a digital signature doesn’t require that I know anything about you as a recipient. All I need to know is your e-mail address. I’m in control of applying my own digital signature. If I can assume that you have software that understands the S/MIME digital signature standard, there’s no danger of me sending the mail and you not being able to read it.
In addition, if I send you a mail and you’re a Web mail user of something like Yahoo or Hotmail and I know you’re not going to be able to verify the signature, at least you’ll still be able to read the message. You’ll see the text, and you’ll have this little digital signature attachment with the mail. You may not know what to do with it, but at least you’ll still be able to read the message.
One reason that S/MIME signatures have a lower barrier to adoption than other methods is that it’s entirely under the control of the sender.
We have always acknowledged that S/MIME won’t provide you with a 100 percent success rate, but with these new authentication schemes being proposed, you’re going to have to wait for a critical mass of the Internet to support them on both the send and receive side, whereas there’s a nontrivial percentage of e-mail clients that will let you do digital signatures with S/MIME.
TNW: What do you think is the most practical way to obtain high adoption of e-mail authentication?
Beer: It’s got to be transparent. It’s got to work automatically in people’s e-mail clients or, better yet, at the recipient’s e-mail gateway. There are a number of error conditions that must be dealt with, and it makes more sense to deal with that heavy lifting at the gateway rather than burdening users with it.
TNW: There have been suggestions that spam could be controlled by making users pay for each e-mail message they send. What do you think of that notion?
Beer: If you’re going to require people to pay money, you’ve got a huge infrastructure problem. There’s no existing business model or payment transaction confirmation model to layer on top of e-mail to make that work. I think it’s really pie in the sky. If you want people to pay using processing power — so called hash cash — that’s a little more reasonable because it takes the end user out of the picture. It’s all done at the server end. But that suffers from the problem of both senders and recipients having to support the standard.
You have to address the economic model for spam, but these authentication schemes will eventually do a good job of reducing the bulk of fraudulent e-mail; they will do a good job of assigning an identity to spammers so that law enforcement can go after these people. But the truly industrious spammers and phishers and fraudulent e-mailers are going to find ways around these authentication schemes.
This story was originally published on May 5, 2004, and is broughtto you today as part of our Best of ECT News series.