Slide1 l.jpg
Advertisement
This presentation is the property of its rightful owner.
1 / 39

ASTA Proposal and Sender Authentication Overview Spam Industry Initiative PowerPoint PPT Presentation

ASTA Proposal and Sender Authentication Overview Spam Industry Initiative Miles Libbey Antispam Product Manager, Yahoo! Mail September 13, 2004 What’s ASTA? Anti-Spam Technical Alliance Yahoo!, Microsoft, Earthlink, Comcast, Bristish Telecom, AOL

Download Presentation

ASTA Proposal and Sender Authentication Overview Spam Industry Initiative

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

ASTA Proposal and Sender Authentication Overview

Spam Industry Initiative

Miles Libbey

Antispam Product Manager, Yahoo! Mail

September 13, 2004

http://antispam.yahoo.com/domainkeys


What s asta l.jpg

What’s ASTA?

  • Anti-Spam Technical Alliance

  • Yahoo!, Microsoft, Earthlink, Comcast, Bristish Telecom, AOL

  • Common experience and problems with spam and scale

  • Worked with others in the community

    • IETF

    • ASRG

    • Bulk Mailers

2

http://antispam.yahoo.com/domainkeys


Best practice recommendations l.jpg

Best Practice Recommendations

  • Not every solution to spam

  • If recommendations are implemented on a wide scale, expect radical reduction in spam

  • Asked for feedback and discussion from community

3

http://antispam.yahoo.com/domainkeys


Good neighbor policy l.jpg

Good neighbor policy

  • All abusive email coming out of ISP/Network provider is ISP’s responsibility

  • If not reasonably controlled, blocking is likely result

  • Perhaps first time industry has said that ISP’s are responsible for email sent from network, even if not through their email servers

4

http://antispam.yahoo.com/domainkeys


Insecure services should be secured l.jpg

Insecure services should be secured

  • Open Relays

  • Insecure Web services

  • Open Proxies

  • Zombies

  • Insecure consumer equipment

5

http://antispam.yahoo.com/domainkeys


Port 25 and 587 explained l.jpg

X

Other SMTP server

587

X

X

Zombie/ open proxy (587)

Port 25 and 587 explained

ISP network

Zombie/ open proxy (25)

25

25

ISP’s SMTPserver

Recipient MTA server & User Mailbox

25

6

http://antispam.yahoo.com/domainkeys


Port 25 and 587 recommendations l.jpg

Port 25 and 587 recommendations

  • Port 25 is currently used for all email traffic

  • Port 587 attempts to break up the submission from receiving

  • Blocking port 25 can be problematic, but is easiest way to control abuse

  • Do NOT block port 587

7

http://antispam.yahoo.com/domainkeys


Smtp auth l.jpg

SMTP AUTH

  • To have real control over SMTP servers, ISPs need to implement authenticated SMTP

    • Mail client required to send username and password before sending mail

  • Needed to allow connections from outside the network

8

http://antispam.yahoo.com/domainkeys


Rate limits l.jpg

Rate limits

  • Limit the number of mails that can be sent per hour and/or day

  • Ideally, coordinate limit with spam complaints received

  • Ensure the actual user sending is the actual user (not a zombie on their computer)

9

http://antispam.yahoo.com/domainkeys


Prevent mass registration l.jpg

Prevent Mass Registration

  • Take action to prevent automated account registration

    • Turing tests

    • Preauthorized payment

10

http://antispam.yahoo.com/domainkeys


Secure redirector services l.jpg

Secure Redirector services

  • Sites frequently use redirect URLs to track clicks

    http://rd.yahoo.com/*http://ftc.gov

  • Spammers use such URLs

    • Fool users to think URL is legitimate

    • Prevent filters from finding real target URL

  • Ensure these sites can only be used by authorized users

    http://us.rd.yahoo.com/SIG=10nc0k8a5/**http%3A%2F%2Fftc.gov

11

http://antispam.yahoo.com/domainkeys


Complaint reporting systems l.jpg

Complaint Reporting systems

  • Recipient feedback on what is spam and not spam dramatically helps system

  • Receiving complaints originating from network gives good neighbor visibility

  • Analyzing complaints about delivered mail helps improve spam filters and reputation engines

12

http://antispam.yahoo.com/domainkeys


Bulk mailers l.jpg

Bulk Mailers

  • No address harvesting

  • Clear and conspicuous opt-out that works

  • No forged headers

  • No obscuring content

  • No misleading content or subject lines

  • Maintain clean lists

  • Segregate sending IPs to help reputation engines

13

http://antispam.yahoo.com/domainkeys


Consumers education and awareness l.jpg

Consumers – education and awareness

  • Install and use personal firewalls

  • Anti-virus software with automated frequent updates

  • Use the "This is spam" button to report spam if your ISP offers it as an option

  • Don't use the "This is spam" button to unsubscribe from things you requested

  • Don't respond to spam at all

14

http://antispam.yahoo.com/domainkeys


Sender authentication l.jpg

Sender Authentication

15


What is sender authentication in email l.jpg

What is sender authentication in email?

  • Not a person’s identity

  • “Prove” authority to use a domain

  • 2 general strategies

    • IP based

    • Digital Signatures

16

http://antispam.yahoo.com/domainkeys


Mapping email to postal mail the envelope l.jpg

~ Sender ID’s authorization proof

Mapping email to postal mail- the envelope

Mail From /Envelope From / Return Path

Recipient To

17

http://antispam.yahoo.com/domainkeys


Mapping email to postal mail the letter l.jpg

DomainKey’s authorization proof

Mapping email to postal mail- the letter

To:

From:

18

http://antispam.yahoo.com/domainkeys


Two authentication strategies compared l.jpg

IP based (Sender ID)

Find outbound IPs, publish in DNS

Receiver verifies mail from authorized IP

Sender is not authenticated -- Last IP to touch mail is

Forwarders & mail lists must change before technology can be fully used

Digital Signature (DomainKeys)

Generate public/private keys, publish public-key in DNS

Sign mail with private-key

Receiver verifies signature

Original Sender is authenticated

In transit modifications may invalidate signature

Two authentication strategies compared

19

http://antispam.yahoo.com/domainkeys


Authentication alone won t solve spam l.jpg

Authentication alone won’t solve spam

  • Authentication won’t solve spam

    • Spammers can trivially authenticate

    • Y! Mail’s most wanted spammers buy 1000s of domains each week

    • >500 known spammers publishing SPF

20

http://antispam.yahoo.com/domainkeys


Authentication is basis for reputation l.jpg

Authentication is basis for reputation

  • Negative and neutral reputation can help reduce spam

    • Blacklists

    • Rate limits for newbies until established reputation

  • Positive reputation helps reduce false positives

  • Make zombies/trojans/open proxies use ISP’s servers where they may be more controlled

  • If Domain registration not forged, makes finding spammers easier

    • Push phishers into corners – can’t use phishing target’s domain; become more traceable

    • Makes legislation/litigation more effective

21

http://antispam.yahoo.com/domainkeys


Ip address is poor basis for email identity and reputation today l.jpg

IP address is poor basis for email identity and reputation today

  • Yahoo! Mail’s 5 year old reputation engine built on IP addresses

  • Doesn’t work well with ESPs

    • Receiver applies ESP’s reputation instead of client’s reputation

    • Many ESPs use 1 IP address for all their clients – reputation of 1 client can ruin reputation for others

  • Doesn’t survive forwarding (Goodguy  Forwarder  Recipient)

    • Forwarding system spam reputation probably mixed – in most cases blindly forwarding on spam

    • We need to apply Goodguy reputation – users want that mail in their inbox

    • How does recipient system know if they can trust forwarding system to validate header or message integrity?

  • Invisible to the user – they don’t know or care about IP addresses

22

http://antispam.yahoo.com/domainkeys


Domainkeys technology summary design goals l.jpg

DomainKeys technology summary: Design Goals

  • Sufficiently secure for email authentication

  • Unobtrusive format

  • Minimize hurdles to initial deployment

    • No financial cost

    • Deployable at the border

    • Use existing infrastructure where possible

  • Provide migration path to more robust solutions

23

http://antispam.yahoo.com/domainkeys


Domainkeys technology summary how it works today l.jpg

DomainKeys technology summary: How it works today

  • Public keys stored in DNS TXT records

  • Signature stored in email header

  • Signature protects headers and content

  • Authenticates domain only

  • Selectors provide fine-grained key management

24

http://antispam.yahoo.com/domainkeys


Public keys in the dns l.jpg

Dedicated namespace

Public Keys in the DNS

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

25

http://antispam.yahoo.com/domainkeys


Selectors allow multiple keys l.jpg

Selectors allow multiple keys

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

26

http://antispam.yahoo.com/domainkeys


Simple tag values syntax l.jpg

Simple tag=values syntax

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

27

http://antispam.yahoo.com/domainkeys


Up to 2048 bit keys fit in a response l.jpg

Up to 2048 bit keys fit in a response

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

28

http://antispam.yahoo.com/domainkeys


Signature is stored as a header l.jpg

Signature is stored as a header

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<[email protected]>

From: <[email protected]>

To: ….

29

http://antispam.yahoo.com/domainkeys


Selector and domain form the query l.jpg

Selector and Domain form the query

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<[email protected]>

From: <[email protected]>

To: ….

30

http://antispam.yahoo.com/domainkeys


Query the dns for the public key l.jpg

Query the DNS for the Public Key

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<[email protected]>

From: <[email protected]>

To: ….

31

http://antispam.yahoo.com/domainkeys


Signature covers all headers and body l.jpg

Signature covers all headers and body

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<[email protected]>

From: <[email protected]>

To: ….

32

http://antispam.yahoo.com/domainkeys


Survive folding l.jpg

Survive folding

DomainKey-Signature: a=rsa-sha1;

q=dns; c=isfws; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<[email protected]>

From: <[email protected]>

To: ….

33

http://antispam.yahoo.com/domainkeys


Survive re ordering and insertion l.jpg

Survive re-ordering and insertion

DomainKey-Signature: a=rsa-sha1;

q=dns; c=isfws; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

h=Message-ID:To:Date:

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<[email protected]>

From: <[email protected]>

To: ….

34

http://antispam.yahoo.com/domainkeys


Domainkeys technology summary migration path l.jpg

DomainKeys technology summary: Migration Path

  • DNS is just one query-type, other key servers allowed

  • Support for alternate queries allows for per-user keys

  • Canonicalization accepts reality but provides for preferred outcome

  • Deflect some controversy by offering sender choice at the cost of complexity

35

http://antispam.yahoo.com/domainkeys


Changes for domainkeys base 01 l.jpg

Changes for DomainKeys-base-01

  • Responsible domain – Sender: then From:

  • Responsible domain – email hostname a substring of “d=“

  • Canonicalization – 2-3 types, one contender is the Cisco ID-Mail form

  • Possible inclusion of a different key server as a key query type

36

http://antispam.yahoo.com/domainkeys


Status and next steps l.jpg

Status and Next Steps

  • Internet draft submitted May 17 to IETF

  • Working with IETF to determine next steps – form working group(s) etc

  • Current working group has 4 independently developed interoperating implementations

  • Sendmail has published plugin for testing

  • Yahoo! Released a royalty free reference implementation for DomainKeys

  • Qmail patch in private trial

  • Yahoo.com plans to trial later this year

37

http://antispam.yahoo.com/domainkeys


More information and specification http antispam yahoo com domainkeys l.jpg

More information and specification:

http://antispam.yahoo.com/domainkeys

38


Mail path l.jpg

List/Forwarding

MTA server

Mail Path

25

25

ISP’s SMTPserver

Recipient MTA server & User Mailbox

X

Zombie/ open proxy (25)

39

http://antispam.yahoo.com/domainkeys


  • Login