Authentication Is Not an Anti-Spam System

 
 
By Larry Seltzer  |  Posted 2004-09-07
 
 
 
Even though Ive already declared Sender ID dead, I maintain that some form of e-mail sender authentication is inevitable and necessary.

Now we hear that spammers are embracing authentication, with the implication that theyre so smart theyll undermine it by being part of the system. But its always been important to understand that authentication is not a solution for the spam problem or the phishing problem; its a means toward the solution.

I like the analogy that Meng Wong, the designer of SPF, uses. He says that Sender ID is not an anti-spam system in the same way that flour is not food. It doesnt end spam; it ends forgery. (Actually, some people argue whether Sender ID ends forgery effectively, but lets assume theres no such argument for the sake of this other argument.) The same issues basically apply to SPF, which is what everyone, including the spammers, are using now.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Far from showing how clever spammers are, adopting SPF or other authentication standards plays right into the goals of the system. Nobody in their right mind would allow messages in just because they authenticated. The next steps— the other ingredients to mix with the flour—are reputation and accreditation systems.

Reputation systems are rating systems that tell subscribers whether an authenticated source of e-mail is a known good source, a known spammer, an unknown source or whatever. An accreditation system, such as IronPort with its Bonded Sender Program, involves a third party that vouches for the senders reputation as opposed to passively tracking it. A site certified with IronPorts Bonded Sender must adhere to a specific set of practices and post a bond to be debited whenever they are determined to be in violation of the terms.

So its no trick at all for spammers to register a zillion throwaway domains like getrichwithherbalviagra.com, but these domains wont obtain a good reputation and it wont be long after they start spamming that they obtain a bad one. The best they can hope for is to get some mail through for the brief period during which they have no reputation to speak of, and any intelligent mail system, even in the authentication era to come, will treat such mail with increased scrutiny. And, of course, recipients could whitelist domains that dont necessarily have a satisfactory reputation.

This is why Ive tried to say all along that authentication systems dont replace filters, they make them work more effectively. Reputation systems, along with white- and blacklists, work as a triage filter, removing large amounts of mail that is known to be good or bad, and let the filters look only at the mail that is truly unknown.

Reputation systems have existed for a long time and dont have a good reputation themselves. Spam blacklists are not well-respected because of an unacceptable level of false positives (I know, Ive been an innocent victim of them myself). But authentication will make reputation a more reliable characteristic to track. I need to spend more time in future columns looking at the issue of reputation and the enormous role it will play in the future.

In the short term, recipients have to treat senders with no authentication records in their DNS as suspicious, but not an automatic block. In the long term one might be able to automatically block all mail that comes from unauthenticated domains. At that point spammers will have to include authentication records. In the short term, I think authentication only makes them easier to track down.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

More from Larry Seltzer

Rocket Fuel