Reputation is the key

By Larry Seltzer  |  Posted 2005-06-03 Print this article Print

But the real key to authentication isnt the authentication itself, but what that authentication enables for reputation services. After all, authentication just tells you who the sender is (or rather, who their domain is). It doesnt tell you whether the senders mail is worth reading.

This has led to a common misleading story about authentication: that spammers can make it impotent by adopting it. We have read about large numbers of spammers publishing SPF records or DomainKeys records. In fact, by doing this they are playing right into our hands.

In a world of authenticated e-mail the first thing you would do is create a whitelist and populate it with known good senders, probably the contents of your address book; and you might have a blacklist too. But if you dont know about a particular sender you can ask a reputation service. These services track mail senders and information about them.

When you ask the service about sender X you might get back a level of confidence (y%) that the sender is a legit sender or a level of confidence (z%) that it is a spammer. You might get the number of complaints that the service has received about that sender in the last day or week. You might get information about the senders policies and whether the sender observes them. Different reputation services track things differently.

Now that you have the reputation information for the sender you can make a policy decision. If all you do is accept mail from domains that authenticate then youll accept a lot of spam. If a domain doesnt authenticate you can still get reputation information about the IP address of the sender, and you might also decide to distrust the sender because it did not authenticate.

The other trap spammers, phishers and other malefactors fall into by authenticating is to make themselves much easier to track. Once they are identified it becomes easier to shut them down and, even better, sue them. Facilitating litigation against spammers is actually a deliberate goal of the DomainKeys crew.

How can consumers and ISPs and enterprises make sense of a large market of reputation information? One interesting proposal is from Wong. It is a reputation aggregation service called Karma and is still under development.

There are a lot of companies in the reputation business, including Ironport, Cloudmark and Habeas. There are also all the RBLs such as Kelkea and Spamhaus. This latter group has focused on IP address-based information, but theres no reason they couldnt supplement with domain information. An aggregation service like Karma could act as a single point of subscription for users. The more a user pays, the more data goes into the judgment about the sender.

This is a model that could work. Combined with other responsible security policies, such as requiring SMTP AUTH and blocking unrestricted use of port 25 from dynamic addresses, its a model that could make it much harder for spammers and malware authors to deliver their messages. I wont go so far as to state that it will work, but its the best idea Ive seen so far and the only one in which I have any hope.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel