Antispoofing E-mail Technology Deployed
By verifying senders' claimed identities new tricks stop spoofers in their tracks
31 January 2005--Most savvy computer users now rely on a variety of filters to screen e-mail for phrases such as "Lower your insurance rates now!" and "Hot XXX Action!" and instantly relegate the spam to the trash can and the sender to an e-mail blacklist. But what happens when spammers go undercover?
Junk senders are adopting the strategy called spoofing, which works like germs that mutate to elude the immune system. Spoofed e-mail bamboozles people into opening it by claiming to be from some legitimate sender, such as citibank.com or whitehouse.gov. The bogus domain names often project such authority that recipients comply with the spammers' requests for confidential information like credit card numbers and secure passwords. "If I had a nickel for every time I said, "I wish I could trust the sender," I'd be rich," says Miles Libbey, Yahoo! Inc.'s antispam product manager.
Over the past few months, Libbey and other antispam czars have responded to spoofers with some creative tactics of their own. By modifying the way e-mail is sent and delivered, major ISPs can confirm the origin of e-mail purporting to be from a given domain. The major push toward perfecting these verification technologies began last June, when the Anti-Spam Technical Alliance (ASTA), whose members include America Online, Comcast, EarthLink, Microsoft, and Yahoo!, advocated steps toward the broad adoption of sender-authentication mechanisms. And the fruits of that effort have come into use in the last couple of months.
ISPs and tech firms have primarily taken two technical paths. DomainKeys, developed by Yahoo! Inc., uses cryptographic authentication to determine the domain identity of a sender. Microsoft's Sender ID and AOL's Sender Policy Framework (SPF) check to see whether the e-mail comes from an IP address that the sending domain in question has authorized.
These schemes are still being refined, but they are already being widely implemented. DomainKeys began large-scale tests on Google's Gmail in November and began signing all outgoing e-mail from Yahoo! and EarthLink in December. Sender ID has signed up 218 000 domains, and AOL and thousands of other prominent domains and service providers are using SPF to vet all incoming messages.
While each antispoofing strategy has its own advantages and drawbacks, DomainKeys' cryptographic approach to domain verification is consistently cited by antispam specialists as the most foolproof of the current solutions. When a domain or ISP adopts the DomainKeys system, it must first generate a pair of numerical "keys," one public and one private. The correct public key can be used to decrypt data that was encrypted using the private key. The public key is published in the Domain Name System (DNS), a comprehensive Internet directory service, and the private key is made available only to the domain's outbound e-mail servers.
The text and header information for every e-mail sent by an authorized user within the system is encrypted by the private key to produce a digital signature that is appended to the e-mail's header. The encrypted signature appears to be a random string of numbers. After receiving e-mail, servers that support DomainKeys authentication look up the public key in DNS for the e-mail's purported domain of origin. It uses this public key to try to decrypt the e-mail's digital signature. If the decrypted signature matches the e-mail header and message, this proves that the e-mail comes from where it says it originated. Because it forms the digital signature from the complete message in addition to the header, DomainKeys can also tell if an e-mail's text has been tampered with in transit.
IP-based authentication techniques, such as those employed by SPF and Sender ID, are not as reliable, because certain forwarding mechanisms can impair their usefulness, according to Libbey and other industry experts. If a Yahoo! customer has a forwarding e-mail address issued by IEEE, for example, the message will register as having been sent by an IP associated with ieee.org , not yahoo.com. Because sending e-mail via a forwarding address involves redirecting it through an alternate domain, the IP address of the original sending domain is lost, and SPF or Sender ID systems might flag the legitimate e-mail as a spoof. "The drawback with any method that's not based on cryptography is that you can't really predict the path your mail will take," says EarthLink chief technology officer Tripp Cox. "When you use cryptography, it doesn't matter so much what the path is, you can always get back to the sender."
On the other hand experts point out that if an intermediary forwarding domain appends anything to a DomainKeys-guaranteed e-mail, such as a signature of its own, the message will be assumed to be spoofed.
Cox, Libbey, and others emphasize that Sender ID, SPF, and DomainKeys are not by themselves absolute spam fixes--they're merely a few of the arrows in a varied and well-stocked quiver. Sender identification strategies are not mutually exclusive; they can all be deployed at the same time, and, in fact, enhance each other's effectiveness. The SPF protocol, for instance, allows the owner of a particular domain (say, ieee.org) to specify which computers are authorized to send messages with @ieee.org in the address. DomainKeys provides a supplemental layer of security by ensuring that all sent messages from SPF-authorized machines have been encrypted by a private key known to ieee.org administrators alone and cannot be tampered with en route to their destinations.
At the same time, all of the sender ID strategies when used in concert with long-established strategies such as filtering all messages for spam-associated words and subject lines and blacklisting, or curtailing incoming mail from IP addresses or domain names that are known to be spammers. "We're taking one tool out of the spammers' arsenal," Libbey says. "DomainKeys is not going to stop spammers, but it's certainly going to take away one of their most important techniques."
Insiders are optimistic that the sheer extent of the spam scourge will encourage domains and ISPs to adopt these new standards quickly. "The success of any e-mail authentication initiative requires swift and broad industrywide cooperation," says a Microsoft spokesperson, "and momentum for this kind of standard is building." To facilitate widespread adoption, Yahoo! and Microsoft are granting royalty-free, nonexclusive licenses to any domain owner who wants to implement DomainKeys or Sender ID.
As antispam techniques go into action, e-mail from unidentifiable senders will be relegated to third-class status, says Meng Weng Wong, the developer of SPF. Spammers would then be forced to abandon one of their most time-tested and successful tactics--and inboxes will be, if not spam-free, at least less cluttered.