The adoption earlier this month of a new e-mail security technology by e-commerce merchant Amazon.com, Internet service provider RoadRunner and Internet security firm IronPort Systems signals what industry watchers say might be the start of a trend that will harden e-mail from phishing and spamming attacks.
Amazon and RoadRunner are the first major Internet carriers to fully adopt a new e-mail infrastructure introduced by Internet portal and search company Yahoo.com called Domain Keys. This new e-mail security architecture allows banks, online retailers and others to certify the e-mail they send.
Also, IronPort Systems announced this month that it is applying the Domain Keys architecture to its X1000 series of e-mail security appliances.
Domain Keys filters mail delivery based on the known reputation of the sender.
These adoption reports are significant for two reasons. One, IronPort Systems is a leading e-mail security provider for organizations ranging from small businesses to the Global 2000. Two, Amazon is the first major online retailer to apply IronPort Systems’ new security appliance, implementing Domain Keys on a massive scale and pushing adoption of the new e-mail security infrastructure across the Internet.
The push for making Domain Keys more widespread could gain the support of the Federal Trade Commission (FTC). Last month the FTC launched Operation Spam Zombies, a campaign to encourage Internet service providers (ISPs) to crack down on compromised computers within their networks that are being used to spew spam onto the Internet.
These “zombie” computers account for as much as 40 percent of the unsolicited e-mail in the world, according to global Internet security firm Sophos. Zombie computers are so named because they are remotely controlled by malicious parties who plant malware on a machine without its owner’s knowledge.
Internet security experts identify e-mail as a primary tool to send spam and phishing attacks once a computer has been infected by a virus or worm designed to launch such an attack.
In a bid to thwart the zombie menace, the FTC sent a letter to some 3,000 ISPs and 35 government authorities in some 20 nations recommending a punchlist of “best practices” that the providers should implement.
The punchlist included adopting technologies that would allow ISPs to block e-mail attacks, apply rate-limiting controls for e-mail relays, identify computers that are sending atypical amounts of e-mail and take steps to determine if the computer is acting as a spam zombie.
The list also suggested a quarantine of the affected computer until the source of the problem is removed.
Two Non-Competing Technologies
Yahoo’s Domain Keys technology is targeted at the same problem the FTC has identified. It is the second major response from the Internet industry since last year that is aimed at breaking the cycle of e-mails laced with spamming and phishing components. Microsoft and some of its partners last summer introduced the alternative Sender-ID e-mail verification protocol.
“Both systems are compatible and do not require the e-mail recipient to do anything for them to work,” Miles Libbey, the anti-spam product manager for Yahoo, told TechNewsWorld.
Thus, e-mail gateway services and ISPs are able to use both technologies to provide better e-mail security.
“Each protocol provides different answers to different problems involving e-mail security issues. But both new protocols deal with sender authentication,” Thomas Gillis, senior vice president for worldwide marketing at IronPort Systems, said.
For instance, mailing lists and forwarding messages each requires different treatment. When someone forwards an article from a Web site archive, often the sender can enter any e-mail address as the sender.
Yahoo’s Libbey said that each protocol has its own benefits because e-mail is a very complicated system. So having two compatible security technologies helps to solve the current security problems.
“The more information about the sender you have, the better it is,” he said.
Why New Standard
IronPort Systems’ Gillis said the computer industry has to change how the Internet handles e-mail. Under the older SMTP protocol, it is easy for a sender to masquerade as somebody else. The original protocol can not verify the source of e-mail messages.
“All e-mail problems come from weaknesses in the core e-mail system,” Gillis said.
One of the biggest weaknesses in this core structure is that e-mail is based on the IP address of the server. What is needed is a way to verify the true identity of the actual sender before the message goes through a mail server. Spammers have become too successful in using compromised computers and networks to steal addresses and forge the senders’ IP addresses.
“To solve that problem we have to force a change. But consumers view change as bad, and people resist it,” Gillis said.
So the new protocols are being applied at the gateway and ISP levels. This means the e-mail processors will have a greater role in verifying the sender’s validity before delivering the e-mail.
New E-Mail Standard
Ragy Thomas, the chief technical officer for Bigfoot Interactive, a provider of e-mail communications and marketing automation technologies, said adoption of new standards is taking place in two parts.
Companies that originate e-mail and e-mail receiving services will have to take action to put the new procedures in place. They will have to decide on procedures to determine how to handle e-mail that does not meet the new authentication standards.
“The technology itself is fairly foolproof. It will be up to each receiving ISP and corporation to decide what to do with non-compliant mail,” Thomas explained.
So far, that is why adoption since last summer has been slow, Thomas added. However, once e-mail handlers start to issue warning messages to smaller ISPs and e-mail mills about their non-compliance, the process will spur consumer confidence.
Sender ID Up Close
Sender ID is the result of two previous technology proposals. Microsoft had developed a system it called Caller ID for e-mail proposal. Lead developer Meng Wong is credited with the Sender Policy Framework (SPF) proposal. Those proposals merged into the current Sender ID standard.
With Sender ID, only authenticated messages can reach the receiver. The process includes several steps.
One, the sender sends an e-mail message to the receiver’s inbound mail server. Two, the receiver’s server checks for a record of the sending domain published in the Domain Name System (DNS) record. Third, the inbound e-mail server determines if the sending e-mail server’s IP address matches the IP address that is published in the DNS record.
The Sender ID technology requires two levels of authentication before an E-mail message is delivered. First, the message originator must declare the identity and be registered on a list that confirms the IP address of the sender. Second, the mail server must confirm that the mail originator is approved to enter the traffic stream.
How Domain Key Works
IronPort Systems’ Gillis explained that the Domain Key protocol functions much like a consumer credit service. The first step is to authenticate the credit card. However, criminals can fake their identification, so merchants view a verifying signature. The consumer credit service might also require a phone call to verify the validity of the transaction.
The Domain Key process is similar. It requires a two-part verification process of the sender of the e-mail. The ISP or e-mail gateway service must first authenticate the message sender. Then the message must pass a second phase called reputation score.
If the sender is not known or is generating a high volume of messages per hour, the ISP or gateway service can slow down or even delay delivery until the sender passes a challenge. Once the sender is verified, the sending address receives a reputation rating.
After that, restrictions on delivery and volume limits are removed by the processing services. In this manner, spam attacks can be stopped before they clog mail servers. And fraudulent messages sent as part of a phishing attack can be detected and blocked.
The Domain Key process includes the creation of an encrypted e-mail address signature. The process then uses the Domain Name Server (DNS) to verify that it came the stated sender.
Comparing the Processes
For the Domain Key protocol to work, the recipient e-mail servers must add software and hardware. That, said Gillis of IronPort Systems, is slowing down the acceptance process.
“The encryption stamp is more technically complex so it is harder to get the process adopted,” he said.
Bigfoot’s Thomas agrees with Gillis that Sender ID is easier to implement. It only requires publishing a list one time, he said.
“The Domain Key system is harder to integrate into existing hardware, but it is not too cost intensive based on what I have seen so far,” Thomas told TechNewsWorld.
Given the two new standards, Gillis and Thomas both agree that Domain Key is more rigorous.
“Sender ID is very lightweight but is already very widespread,” Gillis said.
Thomas, discounting the complexities involved, said Domain Key clearly has the technologically sounder edge.
“Domain Key is definitely stronger because of the encrypted signature,” he said.
Some Internet watchers are not hedging bets on where the two new e-mail standards are going. However, the consensus is that since an ISP doesn’t have to choose one method over the other, both will remain active approaches to dealing with e-mail problems.
Richard Stiennon, vice president of threat research for Internet security firm Webroot, is not yet convinced that either approach to fixing the e-mail problem has been overly effective.
“In my opinion, the Domain Key solution is better because all of the information needed to verify an e-mail is in the e-mail header. The Sender ID approach seems a little kludgy,” Stiennon said.
Stiennon said neither system has had much of an impact on the spam problem. However, he shares everyone’s high hopes that it will.
“I see online discussions from spammers that indicate they are not happy with these protocols. That is a good thing,” he added.