Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    SMTP Authentication Hits Standards Track

    Written by

    Larry Seltzer
    Published May 3, 2004
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      SMTP authentication is coming. But in what form?

      There is a broad consensus among experts that SMTP authentication, by which Internet mail servers will be able to confirm that messages sent to them come from the domains from which they purport to come, will help to fight spam.

      Nobody thinks its the cure for spam, although many (myself included) think its a substantial and necessary ingredient in drastically setting back the infection of spam on the e-mail system.

      Several major initiatives have been announced over the past year or so, the big three being the Sender Policy Framework (SPF, formerly “Sender Permitted From:”), Yahoo Inc.s Domain Keys and Microsoft Corp.s Caller ID for E-mail.

      At a regular IETF meeting in Seoul, South Korea, in February, a formal IETF working group was created at the urging of SPF advocates. The group, called MTA Authorization Records in DNS (MARID), has a charter that is interesting and, for the most part, admirable.

      The group will focus (as the group name might imply) only on MTA authorization, and only on DNS-based mechanisms. It maintains a fairly rigid and aggressive schedule for making certain key decisions.

      The group is an outgrowth of the Anti-Spam Research Group (ASRG), a part of the Internet Research Task Force (IRTF). The ASRG has produced a digital mountain of discussion but not a whole lot of consensus on actual solutions, and theres way too much topical variety and digression on the groups mailing list. All of this is perhaps why some folks went to the IETF asking to be saved from themselves and to have a standard put on the “railroad” track.

      For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      The group really began talking about things just about a month ago. According to the charter, there are major decision-making milestones in May and June and a working-group document submission in August. If the process only amounted to rubber-stamping the SPF specification, the schedule would be a breeze to meet, but as I have said, there are three major proposals with big differences among them. Theres no question that someones interests arent going to be met.

      A bit of technical background is necessary here: RFC2821 is the specification of the SMTP protocol, including some addresses used in what is called the “envelope” of a message for saying where the message is going.

      RFC2822 is the standard for the format of the message transmitted by SMTP; this includes all of the message headers and defines what the user sees as the “From:” and other key addresses. SMTP authentication proposals generally focus on one or the other of these.

      The chairmen of the working group, Andrew Newton and Marshall T. Rose, announced April 29 that the group would focus on RFC2821 identities, meaning envelope identities—basically meaning SPF.

      As they say, there is a strong consensus that further checking based on RFC2822 (message header) identities should be done, but basically this will be put off so the group can meet its aggressive deadlines, unusual deadlines for the IETF.

      Next Page: Chairmen say framework must support RFC2822 mechanisms.

      Supporting RFC2822

      The chairmen also say they believe that the framework developed needs to be capable of supporting the needs of an RFC2822 mechanism. I asked Meng Wang Wong, chief architect of SPF, whether it is extensible enough to take on such a job and got an enthusiastic yes.

      “SPF was designed with things like Caller ID and [Domain Keys] in mind and is extensible to support both of them. No change to the existing specification is needed.” He is also continuing efforts to work with Microsoft and Yahoo.

      The authors of this new spec will certainly know that its only the beginning, because RFC2821 identities are far from adequate. All a spammer (or worm) needs to do is to use a legitimate envelope address, and the message can come through to the user presenting fraudulent addresses. In other words, 2821-focused solutions dont do anything to address the phishing problem.

      What 2821 solutions do allow is the potential for rejecting messages without having to read them first. In other words, if you can determine that the envelope violates policy, you can reject it without actually getting the spam or worm onto your system.

      Some on the MARID mailing list have challenged the idea that you can do this reliably. Some of the challenges are reasonable, some not, but clearly RFC2821 is not the complete answer.

      Of course, if RFC2822 identities were easy and dispositive, there would be a consensus on them, but there isnt. Microsofts Caller ID relies on these identities to address the phishing problem. Lots of people have problems with Caller ID, the specific proposal, not least with the comparative verbosity of the syntax. And there have been credible arguments that there are ways to get around RFC2822 checks.

      I spoke to Rand Wacker, director of product strategy at Emeryville, Calif.-based Sendmail Inc. Sendmail is uniquely positioned for this issue, being perhaps the most significant MTA vendor. It has no particular interest in one approach or the other and has been working with developers of all of them to bring working code into the real world, where users can experiment.

      Wacker said Sendmail would like to get a variety of approaches out there for real-world testing. Remember, you dont need to support only one; a single site could support multiple standards, and theres reason to. As Wacker points out, IP-based solutions such as SPF and caller ID break mail forwarding.

      Even Meng Wang Wong has said on the MARID mailing list that he believes the eventual solution to RFC2822 authentication should involve cryptography, an allusion I assume to Yahoos Domain Keys. Many experts Ive spoken to admire Domain Keys and wish it were more implementable at present.

      Unfortunately, it faces a number of challenges, including the fact that Yahoo has never really announced it and certainly has no final specification. Theres also a lot of concern that the cryptographic requirements will overburden old mail servers, but Sendmails Wacker said that in the companys work with Domain Keys, the CPU requirements have been reasonable.

      All of this leads me to believe that the group is moving far too fast. I agree with Wacker about real-world experimentation. Is it really necessary to have a standard so quickly, when were so early in the real-world implementations of the major proposals? I wish we could wait to get more experience with them first.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      /zimages/4/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/4/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement— He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×