Even as some e-mail sender authentication schemes appeared stalled by implementation problems, participants at Inbox, the pre-eminent e-mail confab held earlier this month in San Jose, Calif., discussed server-to-server message authentication mechanisms and focused discussions on ways to combat phishing.
Less high-profile, but just as important to IT managers—especially in light of regulatory requirements—are e-mail storage and archiving technologies, which were also explored at the conference. The first principle of e-mail storage—that junk e-mail should be stopped at the perimeter before it is delivered to in-boxes—hasnt changed. But figuring out the best place to store delivered e-mail remains an open question at many organizations.
One bright spot at a conference dominated by messages of doom and gloom came from Bank of America. The banks report on its implementation of SPF (Sender Policy Framework) was good news because it shows that a large financial institution has started taking steps toward trying to stop the growing threats of phishing and pharming. Because these schemes can cost businesses vast amounts of money, not to mention their potential to erode customer confidence, other companies will no doubt be joining the fight.
The next step will be using authentication to build reputation.
Just prior to the conference, Bank of America announced SiteKey, a new Web site authentication service. The service, which is scheduled for phased release starting this month, aims to make it easier for users to know when they are really using Bank of Americas Web sites and thereby avoid being taken in by phishing scams.
Two similar server-to-server message authorization and authentication standards are about to join forces. Announced at Inbox, the newly minted DKIM (DomainKeys Identified Mail) is the result of Yahoo Inc. merging its DomainKeys with Cisco Systems Inc.s Identified Internet Mail. DKIM, which has been submitted to the Internet Engineering Task Force, uses public-key cryptography and DNS (Domain Name System) infrastructure, along with upgraded e-mail MTA (Message Transfer Agent) servers, to strengthen e-mail message authenticity.
Yahoos DomainKeys and Ciscos Identified Internet Mail are conceptually similar, according to Miles Libbey, anti-spam product manager at Yahoo.
“The technology is available today, and while there will be slight tweaks to the specification as DomainKeys evolves to DKIM, the core technology pieces that enterprises can put in place will be the same from DomainKeys today to DKIM tomorrow,” said Libbey.
Next page: No-spam, no-phish diet.
Page Two
Message technology companies that process, protect, store and filter e-mail, instant messages and, soon, SMS (Short Message Service) and possibly VOIP (voice over IP) messages are moving from plain old spam fighting to providing anti-fraud protection. What eWEEK Labs observed at the conference confirmed that no really new anti-spam technologies lie ahead. Instead, anti-spam vendors are offering beefed-up e-mail authentication and sender-reputation services. Reputation services verify that digital message senders are good, bad or unknown based on a senders e-mail transmission patterns and practices.
If senders obey laws (including the CAN-SPAM Act), send mail that is likely to be of interest to recipients and allow receivers to opt out, they will generally be categorized as good. ISPs will also likely vet senders to ensure that senders arent consuming undue bandwidth.
The future of reputation services was a hot topic at Inbox, but a more pressing problem, phishing, got the most attention at the show. Phishing uses e-mail to direct users to fake Web sites that imitate commerce sites. Once at the fake site, users are enticed to turn over identity and account data, which often is used to promptly steal money from users.
According to Oliver Friedrichs, senior manager at Symantec Corp.s Security Response Center, which screens approximately 25 percent of worldwide Internet e-mail messages, phishing e-mail increased from 9 million messages per week in July 2004 to about 33 million messages per week by December 2004. Further, representatives from Symantecs Brightmail Inc. unit said that 54 percent of nefarious code captured is e-mail with a malicious payload, such as a keylogger or back door, that can access confidential data.
The increase in malicious code that will likely infect corporate computers should be a key concern for IT managers. As phishers accumulate sensitive corporate data, it is likely only a matter of time before this data is used for financial gain.
Phishing isnt the only malware IT managers need to worry about. Pharming—where hackers exploiting weaknesses in the DNS infrastructure can redirect traffic intended for a real domain to a fake site—surfaced at the end of last year. And in the not-too-distant future, threats that combine phishing with pharming, in which bogus e-mail entices users to visit pharmed sites, are likely to outstrip phishing alone as a major problem for e-commerce, said experts at Inbox. “The reason pharming will exist in the future, and will eventually take over from phishing, is stealth,” said Scot Chasin, chief technology officer of e-mail security company MXLogic Inc., during an Inbox seminar.
“The attackers dont want to be caught, Chasin said. “Sending out millions of e-mail messages that pose as a financial [as phishers do] arouses suspicion. The idea of [pharming] crimes is to create stealth.” Instead of sending millions of messages indiscriminately, pharmers send carefully crafted e-mails that tempt users to go to Web sites and divulge personal data. While no studies were cited, Inbox attendees said phishing/pharming campaigns have a much higher potential payoff than is normally associated with typical spam campaigns.
For IT managers, this means anti-spam tools will need to catch specially crafted messages sent at much lower volumes—thousands of messages rather than millions. This attack will likely require more user training on spotting fake Web sites, protecting personal data and keeping malware off corporate computers.
Finally, although sessions on storage were a small subset of the shows offerings, they raised some of the most interesting technical questions. Aside from determining where and how to store e-mail information, the clear trends show that large amounts of corporate intellectual property are stored in e-mail systems. This raises questions that IT should list among its strategic concerns.
Labs Technical Director Cameron Sturdevant can be reached at [email protected]