slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
ASTA Proposal and Sender Authentication Overview Spam Industry Initiative PowerPoint Presentation
Download Presentation
ASTA Proposal and Sender Authentication Overview Spam Industry Initiative

Loading in 2 Seconds...

play fullscreen
1 / 39

ASTA Proposal and Sender Authentication Overview Spam Industry Initiative - PowerPoint PPT Presentation


  • 498 Views
  • Uploaded on

ASTA Proposal and Sender Authentication Overview Spam Industry Initiative Miles Libbey Antispam Product Manager, Yahoo! Mail September 13, 2004 What’s ASTA? Anti-Spam Technical Alliance Yahoo!, Microsoft, Earthlink, Comcast, Bristish Telecom, AOL

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'ASTA Proposal and Sender Authentication Overview Spam Industry Initiative' - niveditha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

ASTA Proposal and Sender Authentication Overview

Spam Industry Initiative

Miles Libbey

Antispam Product Manager, Yahoo! Mail

September 13, 2004

http://antispam.yahoo.com/domainkeys

what s asta
What’s ASTA?
  • Anti-Spam Technical Alliance
  • Yahoo!, Microsoft, Earthlink, Comcast, Bristish Telecom, AOL
  • Common experience and problems with spam and scale
  • Worked with others in the community
    • IETF
    • ASRG
    • Bulk Mailers

2

http://antispam.yahoo.com/domainkeys

best practice recommendations
Best Practice Recommendations
  • Not every solution to spam
  • If recommendations are implemented on a wide scale, expect radical reduction in spam
  • Asked for feedback and discussion from community

3

http://antispam.yahoo.com/domainkeys

good neighbor policy
Good neighbor policy
  • All abusive email coming out of ISP/Network provider is ISP’s responsibility
  • If not reasonably controlled, blocking is likely result
  • Perhaps first time industry has said that ISP’s are responsible for email sent from network, even if not through their email servers

4

http://antispam.yahoo.com/domainkeys

insecure services should be secured
Insecure services should be secured
  • Open Relays
  • Insecure Web services
  • Open Proxies
  • Zombies
  • Insecure consumer equipment

5

http://antispam.yahoo.com/domainkeys

port 25 and 587 explained

X

Other SMTP server

587

X

X

Zombie/ open proxy (587)

Port 25 and 587 explained

ISP network

Zombie/ open proxy (25)

25

25

ISP’s SMTPserver

Recipient MTA server & User Mailbox

25

6

http://antispam.yahoo.com/domainkeys

port 25 and 587 recommendations
Port 25 and 587 recommendations
  • Port 25 is currently used for all email traffic
  • Port 587 attempts to break up the submission from receiving
  • Blocking port 25 can be problematic, but is easiest way to control abuse
  • Do NOT block port 587

7

http://antispam.yahoo.com/domainkeys

smtp auth
SMTP AUTH
  • To have real control over SMTP servers, ISPs need to implement authenticated SMTP
    • Mail client required to send username and password before sending mail
  • Needed to allow connections from outside the network

8

http://antispam.yahoo.com/domainkeys

rate limits
Rate limits
  • Limit the number of mails that can be sent per hour and/or day
  • Ideally, coordinate limit with spam complaints received
  • Ensure the actual user sending is the actual user (not a zombie on their computer)

9

http://antispam.yahoo.com/domainkeys

prevent mass registration
Prevent Mass Registration
  • Take action to prevent automated account registration
    • Turing tests
    • Preauthorized payment

10

http://antispam.yahoo.com/domainkeys

secure redirector services
Secure Redirector services
  • Sites frequently use redirect URLs to track clicks

http://rd.yahoo.com/*http://ftc.gov

  • Spammers use such URLs
    • Fool users to think URL is legitimate
    • Prevent filters from finding real target URL
  • Ensure these sites can only be used by authorized users

http://us.rd.yahoo.com/SIG=10nc0k8a5/**http%3A%2F%2Fftc.gov

11

http://antispam.yahoo.com/domainkeys

complaint reporting systems
Complaint Reporting systems
  • Recipient feedback on what is spam and not spam dramatically helps system
  • Receiving complaints originating from network gives good neighbor visibility
  • Analyzing complaints about delivered mail helps improve spam filters and reputation engines

12

http://antispam.yahoo.com/domainkeys

bulk mailers
Bulk Mailers
  • No address harvesting
  • Clear and conspicuous opt-out that works
  • No forged headers
  • No obscuring content
  • No misleading content or subject lines
  • Maintain clean lists
  • Segregate sending IPs to help reputation engines

13

http://antispam.yahoo.com/domainkeys

consumers education and awareness
Consumers – education and awareness
  • Install and use personal firewalls
  • Anti-virus software with automated frequent updates
  • Use the "This is spam" button to report spam if your ISP offers it as an option
  • Don't use the "This is spam" button to unsubscribe from things you requested
  • Don't respond to spam at all

14

http://antispam.yahoo.com/domainkeys

what is sender authentication in email
What is sender authentication in email?
  • Not a person’s identity
  • “Prove” authority to use a domain
  • 2 general strategies
    • IP based
    • Digital Signatures

16

http://antispam.yahoo.com/domainkeys

mapping email to postal mail the envelope

~ Sender ID’s authorization proof

Mapping email to postal mail- the envelope

Mail From /Envelope From / Return Path

Recipient To

17

http://antispam.yahoo.com/domainkeys

two authentication strategies compared
IP based (Sender ID)

Find outbound IPs, publish in DNS

Receiver verifies mail from authorized IP

Sender is not authenticated -- Last IP to touch mail is

Forwarders & mail lists must change before technology can be fully used

Digital Signature (DomainKeys)

Generate public/private keys, publish public-key in DNS

Sign mail with private-key

Receiver verifies signature

Original Sender is authenticated

In transit modifications may invalidate signature

Two authentication strategies compared

19

http://antispam.yahoo.com/domainkeys

authentication alone won t solve spam
Authentication alone won’t solve spam
  • Authentication won’t solve spam
    • Spammers can trivially authenticate
    • Y! Mail’s most wanted spammers buy 1000s of domains each week
    • >500 known spammers publishing SPF

20

http://antispam.yahoo.com/domainkeys

authentication is basis for reputation
Authentication is basis for reputation
  • Negative and neutral reputation can help reduce spam
    • Blacklists
    • Rate limits for newbies until established reputation
  • Positive reputation helps reduce false positives
  • Make zombies/trojans/open proxies use ISP’s servers where they may be more controlled
  • If Domain registration not forged, makes finding spammers easier
    • Push phishers into corners – can’t use phishing target’s domain; become more traceable
    • Makes legislation/litigation more effective

21

http://antispam.yahoo.com/domainkeys

ip address is poor basis for email identity and reputation today
IP address is poor basis for email identity and reputation today
  • Yahoo! Mail’s 5 year old reputation engine built on IP addresses
  • Doesn’t work well with ESPs
    • Receiver applies ESP’s reputation instead of client’s reputation
    • Many ESPs use 1 IP address for all their clients – reputation of 1 client can ruin reputation for others
  • Doesn’t survive forwarding (Goodguy  Forwarder  Recipient)
    • Forwarding system spam reputation probably mixed – in most cases blindly forwarding on spam
    • We need to apply Goodguy reputation – users want that mail in their inbox
    • How does recipient system know if they can trust forwarding system to validate header or message integrity?
  • Invisible to the user – they don’t know or care about IP addresses

22

http://antispam.yahoo.com/domainkeys

domainkeys technology summary design goals
DomainKeys technology summary: Design Goals
  • Sufficiently secure for email authentication
  • Unobtrusive format
  • Minimize hurdles to initial deployment
    • No financial cost
    • Deployable at the border
    • Use existing infrastructure where possible
  • Provide migration path to more robust solutions

23

http://antispam.yahoo.com/domainkeys

domainkeys technology summary how it works today
DomainKeys technology summary: How it works today
  • Public keys stored in DNS TXT records
  • Signature stored in email header
  • Signature protects headers and content
  • Authenticates domain only
  • Selectors provide fine-grained key management

24

http://antispam.yahoo.com/domainkeys

public keys in the dns

Dedicated namespace

Public Keys in the DNS

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

25

http://antispam.yahoo.com/domainkeys

selectors allow multiple keys
Selectors allow multiple keys

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

26

http://antispam.yahoo.com/domainkeys

simple tag values syntax
Simple tag=values syntax

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

27

http://antispam.yahoo.com/domainkeys

up to 2048 bit keys fit in a response
Up to 2048 bit keys fit in a response

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

28

http://antispam.yahoo.com/domainkeys

signature is stored as a header
Signature is stored as a header

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<4104B.405@yahoo-inc.com>

From: <miles@sunnyvale.yahoo-inc.com>

To: ….

29

http://antispam.yahoo.com/domainkeys

selector and domain form the query
Selector and Domain form the query

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<4104B.405@yahoo-inc.com>

From: <miles@sunnyvale.yahoo-inc.com>

To: ….

30

http://antispam.yahoo.com/domainkeys

query the dns for the public key
Query the DNS for the Public Key

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<4104B.405@yahoo-inc.com>

From: <miles@sunnyvale.yahoo-inc.com>

To: ….

31

http://antispam.yahoo.com/domainkeys

signature covers all headers and body
Signature covers all headers and body

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<4104B.405@yahoo-inc.com>

From: <miles@sunnyvale.yahoo-inc.com>

To: ….

32

http://antispam.yahoo.com/domainkeys

survive folding
Survive folding

DomainKey-Signature: a=rsa-sha1;

q=dns; c=isfws; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<4104B.405@yahoo-inc.com>

From: <miles@sunnyvale.yahoo-inc.com>

To: ….

33

http://antispam.yahoo.com/domainkeys

survive re ordering and insertion
Survive re-ordering and insertion

DomainKey-Signature: a=rsa-sha1;

q=dns; c=isfws; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

h=Message-ID:To:Date:

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<4104B.405@yahoo-inc.com>

From: <miles@sunnyvale.yahoo-inc.com>

To: ….

34

http://antispam.yahoo.com/domainkeys

domainkeys technology summary migration path
DomainKeys technology summary: Migration Path
  • DNS is just one query-type, other key servers allowed
  • Support for alternate queries allows for per-user keys
  • Canonicalization accepts reality but provides for preferred outcome
  • Deflect some controversy by offering sender choice at the cost of complexity

35

http://antispam.yahoo.com/domainkeys

changes for domainkeys base 01
Changes for DomainKeys-base-01
  • Responsible domain – Sender: then From:
  • Responsible domain – email hostname a substring of “d=“
  • Canonicalization – 2-3 types, one contender is the Cisco ID-Mail form
  • Possible inclusion of a different key server as a key query type

36

http://antispam.yahoo.com/domainkeys

status and next steps
Status and Next Steps
  • Internet draft submitted May 17 to IETF
  • Working with IETF to determine next steps – form working group(s) etc
  • Current working group has 4 independently developed interoperating implementations
  • Sendmail has published plugin for testing
  • Yahoo! Released a royalty free reference implementation for DomainKeys
  • Qmail patch in private trial
  • Yahoo.com plans to trial later this year

37

http://antispam.yahoo.com/domainkeys

more information and specification http antispam yahoo com domainkeys
More information and specification:

http://antispam.yahoo.com/domainkeys

38

mail path

List/Forwarding

MTA server

Mail Path

25

25

ISP’s SMTPserver

Recipient MTA server & User Mailbox

X

Zombie/ open proxy (25)

39

http://antispam.yahoo.com/domainkeys