Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Authentication Is Not an Anti-Spam System



 By: Larry Seltzer
2004-09-07
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: Already we're hearing it, that spammers are beating SPF and the other authentication systems. But the truth has always been that authentication is only a tool for anti-spam systems to use.

Even though Ive already declared Sender ID dead, I maintain that some form of e-mail sender authentication is inevitable and necessary.

Now we hear that spammers are embracing authentication, with the implication that theyre so smart theyll undermine it by being part of the system. But its always been important to understand that authentication is not a solution for the spam problem or the phishing problem; its a means toward the solution.

I like the analogy that Meng Wong, the designer of SPF, uses. He says that Sender ID is not an anti-spam system in the same way that flour is not food. It doesnt end spam; it ends forgery. (Actually, some people argue whether Sender ID ends forgery effectively, but lets assume theres no such argument for the sake of this other argument.) The same issues basically apply to SPF, which is what everyone, including the spammers, are using now.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Far from showing how clever spammers are, adopting SPF or other authentication standards plays right into the goals of the system. Nobody in their right mind would allow messages in just because they authenticated. The next steps— the other ingredients to mix with the flour—are reputation and accreditation systems.

Resource Library:

Reputation systems are rating systems that tell subscribers whether an authenticated source of e-mail is a known good source, a known spammer, an unknown source or whatever. An accreditation system, such as IronPort with its Bonded Sender Program, involves a third party that vouches for the senders reputation as opposed to passively tracking it. A site certified with IronPorts Bonded Sender must adhere to a specific set of practices and post a bond to be debited whenever they are determined to be in violation of the terms.

So its no trick at all for spammers to register a zillion throwaway domains like getrichwithherbalviagra.com, but these domains wont obtain a good reputation and it wont be long after they start spamming that they obtain a bad one. The best they can hope for is to get some mail through for the brief period during which they have no reputation to speak of, and any intelligent mail system, even in the authentication era to come, will treat such mail with increased scrutiny. And, of course, recipients could whitelist domains that dont necessarily have a satisfactory reputation.

This is why Ive tried to say all along that authentication systems dont replace filters, they make them work more effectively. Reputation systems, along with white- and blacklists, work as a triage filter, removing large amounts of mail that is known to be good or bad, and let the filters look only at the mail that is truly unknown.

Reputation systems have existed for a long time and dont have a good reputation themselves. Spam blacklists are not well-respected because of an unacceptable level of false positives (I know, Ive been an innocent victim of them myself). But authentication will make reputation a more reliable characteristic to track. I need to spend more time in future columns looking at the issue of reputation and the enormous role it will play in the future.

In the short term, recipients have to treat senders with no authentication records in their DNS as suspicious, but not an automatic block. In the long term one might be able to automatically block all mail that comes from unauthenticated domains. At that point spammers will have to include authentication records. In the short term, I think authentication only makes them easier to track down.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

More from Larry Seltzer



  Reader Comments: Authentication Is Not an Anti-Spam System
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r㶲s\@♵MQG-y45SHHbL IVrO]'7nBIL&{& 4Fw?Hp4ô1f%STI}"I{hCH~0`R)rdxBԲ|WRjk99r z=F"wx '@PL9uΜ}ٜjc6h2 X m (kzZ'|5{ss!&H}<K QG;i0EGacoN{e376mBu Bd+B(?F# c?C=~'Cp_CaUw0vJ]KwS +629zP!V^ s9Fȹ3Z$nPrNWw#25AR Z@[ ;4ԘDOeCc`Ww,ǃT* TjQ5#mjZ35-3GؾQ̀QA3E5L_C($fR[8=/yz]htVu ̿ykײ*CM{6̳L]nlb#6fjmCO|l ͟P>AuӱnGGH5#o83t6 dݺ;VrP jrX(Ei΃oĩq3}۷?һ(TU-/{W `hivd5M-0ӛn{'WO틋wq@.[A~N7"DT-JR,ODC{aOlhx:~HsrT㕒~T7jJtXT Z, Ԏ$0L" AK1zĢ(C$NߒM-~k~>CF,[sAVU衂ĠʠW:+㽩S=k>_rvZ9ސVSCRU<86wܬ.U$ԴX߹-~RށYxnuŧvІ)gF8 ,H!e޴$8WG9UGZ9U"eY`P)1q+-~~b0B m]& :fV|,|PtZG6O=Sji}vkh|?ƒ(6hʋMPsiOL@sՇt54AͣPo]=&ufo7LAb߇@c`Ns!DAЂNx>4TێM6}l29<8L&&ZArW4#` VPCh' 6)$@}>\tv64-P3RN\Qo@-2(%łdhs4.'P(BHP!9k 99 ŌP~ޑzR.%rP.o=!đtጝR.?K3aGe5n^ _ 23CEɴ"Y9yDU#BU`B]ᛦLMam`DݚA, ǪzX1MZڣc==3̴ ҄%Lla4POjHL\Td٢S9`cyp*m'ȓcS2Gla挽 s>xFvOM- ͜6,'>!&B~`Z&4D 7q9k準I`L)^\IIbЙj!@ xl\6ƖuV"k̲Fm^dћA| ]օVP@yC dlK kZ>%/մE$$BYv`m.EGKdt- &u;@=pll}5G0_\큢KQ"OLXZsXji GL[aHZ{~8`Thb82-|?x;ڈySQ_)~Dkd"vd\6˰@m98آ4Q{ ( J&R4jл@ykv0$4`m\ 1H#0/`k .^@>^hCK'"VcEs V-EAN-)o-gwq0$ZcK& GpӞrVyCf?K~2ԪbVmƆZQrTU߬L3no)'@S$f|ǁ3翼;qS}`1gsp@o)@gf!ڜAGשXTex͘/ ixX(-D# w+NJ R0=f^9/&?L!IC8D"pLΨ-g>jנr8@z}0d٤S,H5qRCY w7ZAU[K;3]V< OP: zC؃LhBOuҜNwyT>RRjELRG ?bqm@`T T R֊ {fVg7{}h#R @ h! J{ZCAm1ݩZGw]܁c2P=[I(T\g7cUE]6U{zn&)j-Ue=4 cI뛗'nz2-rfF7V"-_%d퀁ȘY%Gj1m8W~E50>OD_ Fb&*T~\{)3p322Ow}\cpaNpgDf Z;A9Xhb9BJiRx` fΔ|l <]G=TAIxnPPÊ Vj;{؇v͵K̼vZÄqnY(*"5@Z i2Ɂ㚺/k3OS~a y M\6%Qhh^Acf̚ÒfDs4*.I,G 5e fG*͐;YQksZb()gI@; cg?fmy`:Jbe4qy27)۞kZM_L7 xG8 ?wśf 3Nrl(UJZVJ=٘ȥiG\PR=\$Kr]NV[_T ad:Cd`| !A)c#d1~l'l{H #? *7~.YSHC+#I x\ʍ8 ӄ;}"[Xa3 1114/xyq`Z o@/I6S.P;;l~G\I4m??"ESuYs0q3fnt319ow>8VvTGZ`6"uZ1UnZR&øoٷ( K1cbvm ɶW2z^^7[醗a ]孀 tsټй/vv/7(1\dcx(`F1ypuĂU8B*DEyp|hq\3nmG 'EL9\=I];fW쐺C toZN,8;XMR!m%۪2>C٠k<]?V֭Ě_fbB!I|FهA(l1@+JF:HvZfp6"B4X 1tJ zE/b)%Q\(둞OY[}ڽir3 lo}AFNd^vZ-[I7S+d$ #=]/8ʚ=?UVOju>!+T|㿜Y^$M aPxe`s A\~jiԎ(%T \ /"[O[t=1a >GxI;ɰu͒:h,5 2)!Mp)|Lk'IZV6X(UT%!TT^ҌObCYF*]' һn^mpPpR. Psa纱yx492i(5~yNH>١')-& :*VjRZz]XgUHN~DC 6OY`09+R~MȩrxXuwj̣cy~"ѴGNxL7Ď# qYBK+: CW ./lv6}`FȢ*i{?d̎%j{`ֳs4GӜM)|s99<3m~*`'6<n8Eqܚx,3y3KGÙj]LV\uyoߐ9ar҆s JA5cs􆿿|¯ *{s\'伉~+ћ^Q/,dk.}?H/KO n4M1n鐇dLc!I +WUw7}9Ȝ9%'r{ld+N$^d17KPdƛ%ztA RG3[gȞx~G7׷LbRcR?C?'X} ~W*];I9뻿P;YjYU9/r\5"nZ^8|W90N=y$/@vm ,D>?G{o[DL;*pc޸MqlĨ`box?iԴaf.krxVn\?ⱠBE=,b>:hsvvTG:t.%7^p6}"p8by<3 2BF])V+?FQ=];`mGguiW.}V'Fo6pS,Pɐ w]# 1f~Ï96sLjI{IRơpS)? MYЕuYRJ &CBrTt,\!C''C/KK#: <ebL0fQ/@ya 2j!z\t3 Gp3ؼA ~:#]Z ,{!$v~»zivP+mK.lI aB4$6M]oHbg"| D eb8g ڗo!<;tАB( P"4LsO,4x$)Mvˠoq0LK&]qS'IJG8}0pz6 )t[JT޾D/JڶR|qzifI%.(,[hK .0hO &( SI;͠&?Ѝ0C="p,~]D,y:);1*mэ$-@Zt‚e[X!RGK~]$S vT8ԭQH#ywҙl*@`rc ݭt2AȄA& 2A! 4a6E9H DL4VnG Pݖ+/.:];^ 5 Çc`)(J#ϐR!tcJD"_${tEti]&om)?:ufJ5RC+fA P`b0$ "v}6vɽ#bq-X228BЋ}WWWW}R.jϷ%̬xԾDQhU PG m K$ ,~XaK02Y(2Hr^َďĢߋH2]z.= 2g3 MZPūnpף鼄Wu/E;e`hL^Yn=Z/D#_!&_%_[3RE3u^a~x:KOLx&Qspᑸ:mOׯ/KCܒK/nS'^ hZ=.`ر(ɚ 7QRǎ-)$,Mn*,[n%YƘttiSNDZڈc?WqpWEoN a][ _{F˒g!nI٣@C p{Yff@1deqhKgml~'s6̸堿5lթcYxS-R7= jMQ ֐AX>ڍpKvJd5BV`KuVfT9͎͎͎͎Qj\Q./^ބ!ƤЙA`aRYk`$oHxin^_J3?vw>6mY*9K9$.0׎k~0/EX)濖hZ?0?_Hf#;YZcH*u]=.'ygj$ v`!2[vm?d0ή0;ﵙEG?F(#$JC]>o6OxLg$Hb Iv N56dx}UԱGd:.Zkt(, A(`Q$ҰW=)On66ff}S:w]直,2&I(DeI\Sn{yڑhCA~NN˫݌=ފ匝A"g")_g˙^v /e42rW?宦 Kj⍿=4Gff7u"(`ks2D19Ml߼ )тLfERroAݶ{{ƷD`W2;:OR0,]{ԹKqf Y,Y^.Yyy-b ~2oH@84kQY#ք kIHcc;wnpƊ8e[C@WD,Iz筯/cc>&;I ~w/K}v[ W'V-< /,5A\Nܓ佨a47|b%6Y.#;g(2dIAle"7?tX>φx~SYǰ6#hD<|QAv,Wqi1-wF  Z1QJC gȵaNc2e1A0 0.$o,S`,V6Y`aV3/0q[n]WٗLGր^ta )V+M_aRM:'盫;"|5˅)P+%7ė [Eėn!~O JAk(G>şR-G nb+-]TU,Xm^?KR] ίяTeQO!'(UsAmJ(aZ$Ʈ,Bj !-DȮH~aIzŝE*$49QmENu1'P 0R_rZ%GB8AXd1 wqy%bHFPxҼ񦚵0paXbSYYh T!icb9¡s\ { ]N1xy[?L̀+5&L6P:qV6'fC!Lq':grY-kTۚgIp\\*AEL>IߜRK,kG 6KӼ>ķd1m{r|q_ZQ`kh% 3!~+ (CqWxe%F¯[q{u >dީ3iѩ Huwܦr73>н^3B{sitVE=/նS==E[XYrRfp ʹ{[Vjƹ.04&n=5x \N>#V̯R߃~}%|==oEiw\tǾB ]P] aL_ňV\>fD9mFN&#OeLUR ÍDU<11t+PjNTLO0Y=XCE3>Vo/?VH o[кexxJ8f۶ Ol%W0O @nmxX8TDv2ɇh+bYiF$Y~Gd&$qp4`G0; krkEVIz# -@E슍\a+{PB @q7ڷHj.~ 1X$;3&{T`#owڜGw[;j'lI|T+ois@- [zq٥0;?ra)?DrБ`b'r)c*۟oz5 Qݹ ?ч! g@6L-nxIAX#hbG#Os3MǸۭs X0! ^C.xu?pXtL n#b"1aں5c3bvt] y[^8 k?,Px,[{GǙ9fQs۾@bh~H-*L6qY@y+DLMڠAa{~Lµ!Rrs% h/xm›f48 1zq"Og8=ܕɭxtdj,yǥ}С5NGjp |obyLgN~좾\b @qǹԐ0(J$!Ѕ8i,)@"!9͉ k$}uúޝ/#~|aЇ8\ ] 5Z(_BVBweX &Z(—nJ̊g2q ą&JZ {AzNRsdhhz?B=k@%Ոɵ?#4/> iv>No:N/x ZѶp+t{sm}>^>\o:W} *U:S0/6`Jd-!bձ4 W?Gz MSr:r:ٙE/KN#CE@oAKe>sUUoE a׾hIk*5/(/6//23_2o f}iwfw!_駐~> s?O?VieC:CL*#hϽ\^FgH>_dٮq1>ˌ_, ^~.3s %e}^}^f'UF>AsH?H##/3a|2 *`2Ư f ! _:>uF A{A{3/H@_3J}'ߧ BmV:mBf_ryқ|ּƅ)IFz98ɠrEV*SV:,2!=CU A/nt3 ܃f cp2 #GYwT+3iKЈwS+=*9n ٍ݀9 #p /}.nmG;yh=];X;Yo%P.CIsge'N:2O *WXn- ǡ8Л=ʹ}FzއVV+p3Nlc}k~?W=}sռ\7?G{6ٓ̓GӠS7US !Pa໯0dp=s礏.ŁS wC-3@r:=bهF" Ctuy9L"hh8 p pg1.`b`wƨx%UHM&Dc a3 îz)v%|}r 1)T᧭AԃD%aZ#跘XNƀ_ð@;]q6sx2&QDBr3Ë,<T#0?fu|q+6d益F)\O_^ۍPpxufL~.Bx;C$_ Hwaxzi='1MD+fAl!3´g잓 }'jsH!L&dϒ[l,)+S/!I/kQ `8wN 04 6 郇rC+.Ġ/>''TWB&,*3Up6n:8YZt<&~X s#b;MA5#>;ql>9kso2& 6# 4J$ 0Z< @SĠC)de _~jF߭eh#əW BzX Y8[T"?bLu& 1o!):f*HԶx*D|IBO/C3Obx`#Yб ߞR DO"Ntx:mKd7i-YmmˊL 3t#[G3RVVФA񿄷zH,Ǻ 7Aa)W|B{,;Kl`NB`t09լ`"sv3l]@/;64 SL+4$Rx4)eh[b }ic%p'!MX0 <ձ]w O 7f#9e5 1/>$(+nOvGDg>V'هl4=p6g@!{ohI-COx r8`kL܏-|0qGĶ2]|R4OepvRvc ;93_ZmrΦ(@P W9-By6Z ^|:y-E{"fwFalhd%kFM`Wpۂ{iWeRpCV)tnOĕደANx3NEs,^rXٻ&g8NRjãō $cO)xH>%7mAb;kڱL}aOq,Ic"aX!%ӪrX5lQozc|>[z0 _jPpP9˓ ha0+>+:`5hs&ǂ!pfa=fSCG# τ 4}v[zT<1@TF_E@G7dqVĄFѵb\RJfrmuSk 60M݄rE"4pkq=yezИHpK<9rg.Y^8XpT/>% ow2b9_ydOȅ^_YG7X]t1^0ʳU_:k^v.>qJzfkgDK;O(F28p?Z|ڽ`ghiO=i%-9EMB޴i B"Dwl:W񲞽P7vqr̳#P1TߛiVN$7yhEѓem*Pv g۲N* d%rR⊫3EiQm*'Cfcne߄;66BJFslx61yE*^)