Email Authentication: Dead Or Alive (Depends On Whose Headline You Read)

from the fun-with-headlines dept

About three years ago, it seemed like all of the big online players decided that email authentication was a good strategy for stopping spam. Of course, as happens all too often with these types of things, everyone came up with their own different standard -- meaning that you have a standards battle where not enough people adopt anything. Then, of course, many people felt that any such basic change to email effectively would break existing systems. Over the years, there's been plenty of talk about email authentication -- but it hasn't helped that the most active users of this supposedly "anti-spam" system are the spammers themselves. So, what's the state of email authentication today? Apparently it depends on whose headline you believe. Security Focus has an article today telling us that E-mail authentication gaining steam, while EmailBattles has their own article claiming: State of E-Mail Authentication: SPF Dead, Others on Life Support. Which story you believe probably reflects how much you've invested in one of these authentication techniques.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    dataguy, 20 Apr 2006 @ 11:39am

    Glad to see you reference EmailBattles - I really like their work.

    link to this | view in thread ]

  2. identicon
    anonymous coward, 20 Apr 2006 @ 1:24pm

    as a technology-savvy email users knowing nothing about this issue would lead me to come down on the "dead" side.

    link to this | view in thread ]

  3. identicon
    Andrew, 20 Apr 2006 @ 1:38pm

    Let's be clear - email authentication was never designed to stop spam. It's a popular misconception. Email authentication is designed to control spoofing. This would greatly reduce (or at least alleviate) 2 things:

    - Phishing scams
    - Joe Jobs

    If you've ever received thousands of bounce back emails because some half wit spammer sent email claiming to be from your address, you'll appreciate why stopping joe jobs is important.

    link to this | view in thread ]

  4. identicon
    Joe Smith, 20 Apr 2006 @ 3:41pm

    solutions

    It seems to me that there are only three possible answers to spam:
    1. governments outlaw it and act to enforce the laws.
    2. companies launch class action law suits against the commercial spammers for wasting employees' time with unauthorized and unsolicited emails.
    3. the rest of us donate to a fund to pay organized crime to hunt down and kill the spammers and phishers.

    link to this | view in thread ]

  5. identicon
    Jacob, 20 Apr 2006 @ 5:23pm

    RE: solutions

    I'd like to go with choice #3 :D

    link to this | view in thread ]

  6. identicon
    Joe Jobs, 20 Apr 2006 @ 5:56pm

    Re:

    What do you have against me?

    link to this | view in thread ]

  7. identicon
    Garfiode, 20 Apr 2006 @ 6:57pm

    Re: solutions

    3# definently. Should only take about 50 boxes of .50 cal ammo to get them all.

    link to this | view in thread ]

  8. identicon
    Tomasz Andrzej Nidecki, 20 Apr 2006 @ 11:59pm

    Glad to see SPF is on the downside

    I'm glad that at least some sources notice the problems with SPF, which I've been against for some time now, publishing information about its downsides and lack of effectiveness. Hope that all ISPs notice, that all solutions for server-side authentications are faulty by nature, and that someone at last realizes that the best method for authentication is for users to use personal e-mail certificates, which are available for free from many sources.

    link to this | view in thread ]

  9. identicon
    Hahaha, 21 Apr 2006 @ 3:05am

    Re: Re:

    Re: by Joe Jobs on Apr 20th, 2006 @ 5:56pm What do you have against me?
    ROFLROFL

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 21 Apr 2006 @ 4:01am

    These proposals have nothing to do with stopping s

    ...and everything to do with facilitating the creation of "walled gardens" for email, a la AOL's old business model. It's not surprising that spammers were the earliest adopters: OF COURSE they were, it's exactly what was predicted as soon as these idiotic proposals were put forth. The problem for the proponents, of course, is that having sunk so much of their time/credibility into these, they can't simply admit that they're enormous mistakes and walk away; no, they have to keep flogging them while simultaneously ignoring any number of clearly superior methods that have already been proven in the field.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 21 Apr 2006 @ 4:08am

    Re: misconception

    If it's a misconception, and I'll certainly grant that it is, then whose fault is it that the misconception exists?

    "Spam as a technical is solved by SPF".

    That statement was on the home page of the SPF for some time -- it was quietly removed, without a public retraction, a while ago.

    Similar statements have been made by the proponents of other schemes. Of course they are: email forgery is at most a minor problem and always has been, so nobody needs or wants to care about it. But spam? Oh, spam is a major problem, so one way to attract a lot of press is to grandly pronounce that The Answer is at hand...even when it's obvious to everyone with any technical clue that anti-forgery technologies (a) have no anti-spam value and (b) are trivial to subvert. [The latter being especially true in a world with an estimated 100M zombies -- since the new masters of those systems have full access to any email authentication credentials possessed by their former owners.]

    link to this | view in thread ]

  12. icon
    rick (profile), 21 Apr 2006 @ 8:11am

    Switch to encrypted email by default.

    II've said it before and I'll say it again. If we switched to encrypted
    email by default, joe jobs, authentication, and to some degree spam
    would be controlled.

    Publish your public keys either on your personal web site, in your
    signature, in public/private directories.

    Snail mail equivalents;
    1st Class - Signed/encrypted
    2nd-class - Signed
    Bulk-Rate - Unsigned / unencrypted.

    The more you value your privacy/hate spam the longer your encryption
    key. The longer your encryption key, the more processor time it takes
    to sign/encrypt email to you. (as a side benefit, the harder for people
    to snoop on you). Can anyone speculate on the time/processor power to
    send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?

    If you value your privacy/time/bandwidth then either sort by class or
    reject (at the local level of course, NOT at the ISP level) certain
    classes. Perhaps you only accept 1st class email. Maybe 1st class is
    ok, second class gets filtered and bulk rate goes into the 'Junk mail'
    folder.

    Current problems with this idea, NSA/FBI/CIA etc. Google/Yahoo/AOL etc.
    The powers that be like the fact that most email is unsigned
    unencrypted plain text.

    What's common about the current plans like "DomainKeys Identified Mail".

    It's centrally located, the power is with the provider, not with the
    individual.

    It's still in plain text, so every one knows what you're writing about.

    It authenticates the mail server, not the individual. So if I'm at
    Alice@aol.com and I send mail pretending I'm from Bob@aol.com, then I
    can authentically state that the email from AOL.com actually came from
    an account at AOL.com. As email servers consolidate how does that help
    you? If your email is processed by Verizon, AOL, Earthlink, you are ok.
    If instead it's processed by Local Coop Inc., the ladies auxiliary, the
    Free China Society, or heaven forbid, your own server. Well obviously
    it doesn't come with the large corporate/government seal of approval,
    it MUST be bad/evil/subversive/spam.

    Spam works because it doesn't cost the sender near enough, and some
    small percentage of people actually bite. We need to increase the cost
    of sending thousands of emails without increasing the cost of sending
    tens of emails. The cost increase can't be in dollars, because then
    only the rich would be able to send email. We can't limit/consolidate
    the control of email sending, because then only 'approved' people would
    be able to send 'approved' messages. It shouldn't impact the current
    infrastructure because then it wouldn't get implemented.

    Default encrypted email; local control, authenticates the individual (or
    company/origination), increases the cost to Spammers without undually burdening individual emails or non-profits. Keeps your neighbor/the government/corporate interests from reading your email. Requires little if any change to the current email infrastructure.

    rick
    jilocain0@yahoo.com

    link to this | view in thread ]

  13. icon
    rick (profile), 21 Apr 2006 @ 8:13am

    Switch to encrypted email by default.

    II've said it before and I'll say it again. If we switched to encrypted
    email by default, joe jobs, authentication, and to some degree spam
    would be controlled.

    Publish your public keys either on your personal web site, in your
    signature, in public/private directories.

    Snail mail equivalents;
    1st Class - Signed/encrypted
    2nd-class - Signed
    Bulk-Rate - Unsigned / unencrypted.

    The more you value your privacy/hate spam the longer your encryption
    key. The longer your encryption key, the more processor time it takes
    to sign/encrypt email to you. (as a side benefit, the harder for people
    to snoop on you). Can anyone speculate on the time/processor power to
    send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?

    If you value your privacy/time/bandwidth then either sort by class or
    reject (at the local level of course, NOT at the ISP level) certain
    classes. Perhaps you only accept 1st class email. Maybe 1st class is
    ok, second class gets filtered and bulk rate goes into the 'Junk mail'
    folder.

    Current problems with this idea, NSA/FBI/CIA etc. Google/Yahoo/AOL etc.
    The powers that be like the fact that most email is unsigned
    unencrypted plain text.

    What's common about the current plans like "DomainKeys Identified Mail".

    It's centrally located, the power is with the provider, not with the
    individual.

    It's still in plain text, so every one knows what you're writing about.

    It authenticates the mail server, not the individual. So if I'm at
    Alice@aol.com and I send mail pretending I'm from Bob@aol.com, then I
    can authentically state that the email from AOL.com actually came from
    an account at AOL.com. As email servers consolidate how does that help
    you? If your email is processed by Verizon, AOL, Earthlink, you are ok.
    If instead it's processed by Local Coop Inc., the ladies auxiliary, the
    Free China Society, or heaven forbid, your own server. Well obviously
    it doesn't come with the large corporate/government seal of approval,
    it MUST be bad/evil/subversive/spam.

    Spam works because it doesn't cost the sender near enough, and some
    small percentage of people actually bite. We need to increase the cost
    of sending thousands of emails without increasing the cost of sending
    tens of emails. The cost increase can't be in dollars, because then
    only the rich would be able to send email. We can't limit/consolidate
    the control of email sending, because then only 'approved' people would
    be able to send 'approved' messages. It shouldn't impact the current
    infrastructure because then it wouldn't get implemented.

    Default encrypted email; local control, authenticates the individual (or
    company/origination), increases the cost to Spammers without undually burdening individual emails or non-profits. Keeps your neighbor/the government/corporate interests from reading your email. Requires little if any change to the current email infrastructure.

    rick
    jilocain0@yahoo.com

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 21 Apr 2006 @ 10:19am

    Encryption is mostly useless, for at least three r

    Can anyone speculate on the time/processor power to send 1 million pieces of email currently vs. encrypting/signing 1 million pieces of email each encrypted with a different 2048bit key?"

    First reason: spammers have access to (essentially) unlimited CPU resources. (See "100M zombies" above.) Attempting to slow them down by imposing computational burdens on them is a guaranteed-losing strategy.

    Second reason: suppose such a scheme was widely deployed. Spammers could merely "harvest" the private keys used/stored on any of those 100M systems and then not only spam, but create considerable damage, by sending it signed not as themselves, but as the users in question.

    Third reason: suppose such a scheme was widely deployed. How can a receiving MTA verify that an incoming message was correctly encrypted? Answer: it can't. It doesn't possess the private key. It has to deliver it to the user's mailbox, where it will subsequently be retrieved via POP or IMAP, so that something running in the user's MUA -- and which knows the user's private key -- can vet the message. Which means that most of the damage has already been done: bandwidth, CPU and disk have already been wasted accepting, processing, and storing a message which turns out to be spam.

    There's more, but the bottom line is that encryption is not any kind of an answer to the spam problem because the spam problem is NOT an authentication problem.

    link to this | view in thread ]

  15. identicon
    nan, 21 Apr 2006 @ 2:05pm

    multiple email needs is where it's at

    I think authentication by itself hasn't been compelling enough, but combine it with the needs for encryption and access controls over email, and it all makes a little more sense. There is software available for desktops that authenticates senders and recipients on top of providing users the ability to assign access controls to prevent unauthorized forwarding... http://www.essentialsecurity.com/features.htm

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 21 Apr 2006 @ 7:32pm

    What we have here...

    ....is failure to communicate.

    What those of you advocating various cryptographic measures continue to miss is that an attacker is in COMPLETE control of an end-user's system -- and thus able to, oh, install a keystroke logger for example -- and transparently forge anything they like.

    As a result, all your proposed solutions based on cryptography are completely worthless. Until, that is, all of those 100M plus systems out there that are already in a known-compromised state are rebuilt from original distribution media AND kept from being compromised again.

    Good luck with that.

    The sad truth is that in 2006, a large chunk of the spam problem reduces to a Windows security problem, and that is not a problem for which there is any known solution -- other than "format:c" following by a re-install (which, BTW, is now the recommended solution from the vendor).

    Nothing short of that will do. Yet it is seldom done. And even when it is, the effect is often temporary.

    For further reading, please consult You might be an anti-spam kook if... which enumerates any number of known-failed (yet frequently proposed) approaches to "solving" the spam problem. If you are not fully acquainted with that entire list and able to explain in detail why all of those approaches are utterly doomed, then you will most certainly not be capable of coming up with any ideas that have the slightest chance of success.

    link to this | view in thread ]

  17. identicon
    Bar Nelson Dominic, 4 Sep 2007 @ 4:00am

    Hello,

    Hello,
    I am Bar Nelson Dominic
    A Canadian Attorney based in Manchester, United Kingdom and the personal attorney to Late Mr. Mark Michelle a citizen of France. Late Mr. Mark Michelle was a private oil consultant/ contractor with the Shell Petroleum Development Company in Saudi Arabia before his death, hereinafter shall be referred to as my client.Unfortunate, my client with his wife and three children lost their life in plane clash in 2003. My several attempts to locate any of his relatives as directed by his Bank became void. I had make enquires with his country Embassy and non of his relatives have been traced. It

    may interest you to know that my client died "in testate". PROPOSITION: I decided to contact you purely on the personal conviction of trust and confidence that we can co-operate with each other and do a very lucrative business for our mutual benefit. I want you to give me the needed assistance by allowing me to present you as the next of kin to the deceased and the beneficiary to his estate. The deceased had a deposit valued presently at (GBP 45,800,000.00) and his Bank has issued me a notice to provide his next of kin or beneficiary by will, otherwise the account would be confiscated. Already, i have marked out modalities for achieving my aim of appointing a next of kin as well as transfer the money out of this country, for us to share the money in the ratio of 53% for me and 35% to you, The 2% of the fund will serve as

    reimbursement of expenses both local and international any of us will make in the course of this transaction. While we shall collectively donate the remaining balance of 10% to Tsunami Relief Organizations. It is my intention to achieve this transfer in a legitimate way, all I required is your honest co-operation, and confidentiality and trust to enable us see this transaction through. This is a very legal business that I am very sure of its success and is absolutely risk free. If this proposal is acceptable to you, kindly email following information’s to me;
    1. Private telephone number and fax number.
    2. Your residential address.
    3. Identification / occupation.
    Further details await you upon a positive response from you

    Yours faithfully,

    Bar Nelson Dominic

    link to this | view in thread ]

  18. identicon
    Bar Nelson Dominic, 4 Sep 2007 @ 4:11am

    Hello,

    Hello,
    I am Bar Nelson Dominic
    A Canadian Attorney based in Manchester, United Kingdom and the personal attorney to Late Mr. Mark Michelle a citizen of France. Late Mr. Mark Michelle was a private oil consultant/ contractor with the Shell Petroleum Development Company in Saudi Arabia before his death, hereinafter shall be referred to as my client.Unfortunate, my client with his wife and three children lost their life in plane clash in 2003. My several attempts to locate any of his relatives as directed by his Bank became void. I had make enquires with his country Embassy and non of his relatives have been traced. It

    may interest you to know that my client died "in testate". PROPOSITION: I decided to contact you purely on the personal conviction of trust and confidence that we can co-operate with each other and do a very lucrative business for our mutual benefit. I want you to give me the needed assistance by allowing me to present you as the next of kin to the deceased and the beneficiary to his estate. The deceased had a deposit valued presently at (GBP 45,800,000.00) and his Bank has issued me a notice to provide his next of kin or beneficiary by will, otherwise the account would be confiscated. Already, i have marked out modalities for achieving my aim of appointing a next of kin as well as transfer the money out of this country, for us to share the money in the ratio of 53% for me and 35% to you, The 2% of the fund will serve as

    reimbursement of expenses both local and international any of us will make in the course of this transaction. While we shall collectively donate the remaining balance of 10% to Tsunami Relief Organizations. It is my intention to achieve this transfer in a legitimate way, all I required is your honest co-operation, and confidentiality and trust to enable us see this transaction through. This is a very legal business that I am very sure of its success and is absolutely risk free. If this proposal is acceptable to you, kindly email following information’s to me;
    1. Private telephone number and fax number.
    2. Your residential address.
    3. Identification / occupation.
    Further details await you upon a positive response from you

    Yours faithfully,

    Bar Nelson Dominic

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.