Messaging News - June 2008 - (Page 19)

the spammer saves those bots for later use, in an effort to stay off anyone’s blacklist. “Blacklists still work a good percentage of the time,” thinks Pao. “Today over 70 percent of the email blocked by Barracuda Spam Firewall globally is blocked at the IP reputation layer. So it is still significant, it is just not where the innovation is happening.” Beyond Blacklisting While blacklists do help to establish bad behavior and assign reputation status, few would argue they are perfect. “Existing IP-based reputation schemes are based upon a less than ideal characteristic—the sender’s IP address,” explains Hathcock. “This is not ideal because IP’s can (and often do) change. When this happens, all existing reputation data, whether good or bad, is lost. Also, sender, in order to make improved reputation-based decisions. SPF, DKIM, and other “sender authentication” schemes help a receiving MTA decide if it knows which domain sent a message. For example, SPF can tell if the sending IP address 1.2.3.4 is authorized to send mail claiming to be from example.com and DKIM can tell if the incoming message was signed by example.com’s private key. If the receiving MTA knows the sending domain, it doesn’t need to rely on the reputation of the sending IP address, which can be a blunt instrument,” acknowledges Jennings. He notes that sender authentication allows domains themselves to have reputations. “It’s especially useful for whitelisting known-good domains, so that mail from them doesn’t fall victim to the false-positive problem.” Additional Solutions Companies like Alt-N Technologies and Barracuda Networks are adding layers to aid in establishing senders’ reputation. Continuing his credit card analogy, Pao explains, “If I am the merchant, I expect my security provider to act like VISA or MasterCard and profile the behavior of the cardholder. That is essentially what Barracuda is doing for our customers. We profile the behavior of the bad guys so that no matter whose identity that bad behavior is seen on we can block the emails. It is the same with VISA, who will question someone who buys 50 flat screen TVs in one day. Likewise, we question anyone that shows bad emailing behaviors.” For Alt-N Technologies, Hathcock reports an additional technique Bad Behavior and Today’s Reputation Analysis by Stephanie Jordan IP use fragments the picture. By this I mean that a single sending identity can send email using many different IPs forcing an IP-based reputation to have a fragmented overall picture of the sender.” Hathcock believes that a better approach is to track reputation based on the domain name of the sender. “This solves the problems I just mentioned. The barrier to this has been the inability to authenticate an identity like a domain name. Now we’ve solved that problem with DomainKeys Identified Mail (DKIM). DKIM is the foundation that makes domain-based reputation services possible.” Verification by either DKIM, Sender Policy Framework (SPF) or Sender ID Framework (SIDF) when coupled with reputation data, allows ISPs and receiving networks to make enhanced decisions on whether or not to deliver email into the inbox, junk or bulk mail folder, or to quarantine and/or block the email altogether. According to Richi Jennings of Ferris Research, “SPF isn’t exactly a ‘reputation mechanism,’ although it can be used to help identify the Pao offers a comparison to credit card theft. “Reputation relies on identity,” he states. “I can prevent a fraud on my credit card, if I am really good about protecting my identity—like shedding all my documents, and not publishing my Social Security number. I am not going to be the victim of fraud as often as if I did not do these things.” Pao goes on to say that DKIM and SPF are all about protecting identity and to prevent spoofing. “That helps me a lot, as a legitimate email sender to do that. However, just like the credit card example, the fact that someone shreds documents and takes other actions, it does not help me, as a merchant from receiving stolen credit cards. It helps me to not receive that particular individual’s stolen credit card, but doesn’t help me not receive someone else’s. It is true that IP-reputation and sender authentication absolutely go hand and hand, but they go hand and hand from the perspective of the person who wants to be protected. Not from the perspective of the person who is trying not to be the victim of fraud.” used with DKIM that has been incorporated into its MDaemon Email Server using Vouch By Reference (VBR) to enable email certification in a new way. “Alt-N runs a VBR server at vbr.emailcertification.org. This VBR server lists the domains of some of our own MDaemon customers whom have asked to be listed and whom we have vetted. We also list domains like PayPal, eBay, banks, etc. However, about 90 percent of the domains we are certifying are our own customers. Adding message identification values as input for our certification service enables matches to be made quickly and easily. Consequently, users of the service have the option to skip spam filtering.” Hathcock notes that Alt-N is not trying to get into the certification business, but rather is demonstrating what is possible. “We have been very successful over several months of use,” reports Hathcock. “The criteria to qualify a message for certification is currently a DK or DKIM verified domain. In our forthcoming MDaemon 10 release we are opening it up to SPF and Sender ID verified domains, as well.” messagingnews.com 19 http://example.com http://vbr.emailcertification.org http://www.messagingnews.com

Table of Contents Feed for the Digital Edition of Messaging News - June 2008

Messaging News - June 2008 Editor’s Note Short Takes Classification & Retention Spam: Bigger, Faster, and More Dangerous Bad Behavior and Today’s Reputation Analysis The Changing Locus of Collaboration Serving Up Managed and Hosted Messaging Solutions “On Message” with Ben Gross SCAP Standard Benefits Both Government and Commercial Space Making the Case Learn More

Messaging News - June 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.