ASTA Proposal and Sender Authentication Overview
Download
1 / 39

- PowerPoint PPT Presentation


  • 475 Views
  • Uploaded on

ASTA Proposal and Sender Authentication Overview Spam Industry Initiative Miles Libbey Antispam Product Manager, Yahoo! Mail September 13, 2004 What’s ASTA? Anti-Spam Technical Alliance Yahoo!, Microsoft, Earthlink, Comcast, Bristish Telecom, AOL

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - niveditha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

ASTA Proposal and Sender Authentication Overview

Spam Industry Initiative

Miles Libbey

Antispam Product Manager, Yahoo! Mail

September 13, 2004

http://antispam.yahoo.com/domainkeys


What s asta l.jpg
What’s ASTA?

  • Anti-Spam Technical Alliance

  • Yahoo!, Microsoft, Earthlink, Comcast, Bristish Telecom, AOL

  • Common experience and problems with spam and scale

  • Worked with others in the community

    • IETF

    • ASRG

    • Bulk Mailers

2

http://antispam.yahoo.com/domainkeys


Best practice recommendations l.jpg
Best Practice Recommendations

  • Not every solution to spam

  • If recommendations are implemented on a wide scale, expect radical reduction in spam

  • Asked for feedback and discussion from community

3

http://antispam.yahoo.com/domainkeys


Good neighbor policy l.jpg
Good neighbor policy

  • All abusive email coming out of ISP/Network provider is ISP’s responsibility

  • If not reasonably controlled, blocking is likely result

  • Perhaps first time industry has said that ISP’s are responsible for email sent from network, even if not through their email servers

4

http://antispam.yahoo.com/domainkeys


Insecure services should be secured l.jpg
Insecure services should be secured

  • Open Relays

  • Insecure Web services

  • Open Proxies

  • Zombies

  • Insecure consumer equipment

5

http://antispam.yahoo.com/domainkeys


Port 25 and 587 explained l.jpg

X

Other SMTP server

587

X

X

Zombie/ open proxy (587)

Port 25 and 587 explained

ISP network

Zombie/ open proxy (25)

25

25

ISP’s SMTPserver

Recipient MTA server & User Mailbox

25

6

http://antispam.yahoo.com/domainkeys


Port 25 and 587 recommendations l.jpg
Port 25 and 587 recommendations

  • Port 25 is currently used for all email traffic

  • Port 587 attempts to break up the submission from receiving

  • Blocking port 25 can be problematic, but is easiest way to control abuse

  • Do NOT block port 587

7

http://antispam.yahoo.com/domainkeys


Smtp auth l.jpg
SMTP AUTH

  • To have real control over SMTP servers, ISPs need to implement authenticated SMTP

    • Mail client required to send username and password before sending mail

  • Needed to allow connections from outside the network

8

http://antispam.yahoo.com/domainkeys


Rate limits l.jpg
Rate limits

  • Limit the number of mails that can be sent per hour and/or day

  • Ideally, coordinate limit with spam complaints received

  • Ensure the actual user sending is the actual user (not a zombie on their computer)

9

http://antispam.yahoo.com/domainkeys


Prevent mass registration l.jpg
Prevent Mass Registration

  • Take action to prevent automated account registration

    • Turing tests

    • Preauthorized payment

10

http://antispam.yahoo.com/domainkeys


Secure redirector services l.jpg
Secure Redirector services

  • Sites frequently use redirect URLs to track clicks

    http://rd.yahoo.com/*http://ftc.gov

  • Spammers use such URLs

    • Fool users to think URL is legitimate

    • Prevent filters from finding real target URL

  • Ensure these sites can only be used by authorized users

    http://us.rd.yahoo.com/SIG=10nc0k8a5/**http%3A%2F%2Fftc.gov

11

http://antispam.yahoo.com/domainkeys


Complaint reporting systems l.jpg
Complaint Reporting systems

  • Recipient feedback on what is spam and not spam dramatically helps system

  • Receiving complaints originating from network gives good neighbor visibility

  • Analyzing complaints about delivered mail helps improve spam filters and reputation engines

12

http://antispam.yahoo.com/domainkeys


Bulk mailers l.jpg
Bulk Mailers

  • No address harvesting

  • Clear and conspicuous opt-out that works

  • No forged headers

  • No obscuring content

  • No misleading content or subject lines

  • Maintain clean lists

  • Segregate sending IPs to help reputation engines

13

http://antispam.yahoo.com/domainkeys


Consumers education and awareness l.jpg
Consumers – education and awareness

  • Install and use personal firewalls

  • Anti-virus software with automated frequent updates

  • Use the "This is spam" button to report spam if your ISP offers it as an option

  • Don't use the "This is spam" button to unsubscribe from things you requested

  • Don't respond to spam at all

14

http://antispam.yahoo.com/domainkeys



What is sender authentication in email l.jpg
What is sender authentication in email?

  • Not a person’s identity

  • “Prove” authority to use a domain

  • 2 general strategies

    • IP based

    • Digital Signatures

16

http://antispam.yahoo.com/domainkeys


Mapping email to postal mail the envelope l.jpg

~ Sender ID’s authorization proof

Mapping email to postal mail- the envelope

Mail From /Envelope From / Return Path

Recipient To

17

http://antispam.yahoo.com/domainkeys


Mapping email to postal mail the letter l.jpg

DomainKey’s authorization proof

Mapping email to postal mail- the letter

To:

From:

18

http://antispam.yahoo.com/domainkeys


Two authentication strategies compared l.jpg

IP based (Sender ID)

Find outbound IPs, publish in DNS

Receiver verifies mail from authorized IP

Sender is not authenticated -- Last IP to touch mail is

Forwarders & mail lists must change before technology can be fully used

Digital Signature (DomainKeys)

Generate public/private keys, publish public-key in DNS

Sign mail with private-key

Receiver verifies signature

Original Sender is authenticated

In transit modifications may invalidate signature

Two authentication strategies compared

19

http://antispam.yahoo.com/domainkeys


Authentication alone won t solve spam l.jpg
Authentication alone won’t solve spam

  • Authentication won’t solve spam

    • Spammers can trivially authenticate

    • Y! Mail’s most wanted spammers buy 1000s of domains each week

    • >500 known spammers publishing SPF

20

http://antispam.yahoo.com/domainkeys


Authentication is basis for reputation l.jpg
Authentication is basis for reputation

  • Negative and neutral reputation can help reduce spam

    • Blacklists

    • Rate limits for newbies until established reputation

  • Positive reputation helps reduce false positives

  • Make zombies/trojans/open proxies use ISP’s servers where they may be more controlled

  • If Domain registration not forged, makes finding spammers easier

    • Push phishers into corners – can’t use phishing target’s domain; become more traceable

    • Makes legislation/litigation more effective

21

http://antispam.yahoo.com/domainkeys


Ip address is poor basis for email identity and reputation today l.jpg
IP address is poor basis for email identity and reputation today

  • Yahoo! Mail’s 5 year old reputation engine built on IP addresses

  • Doesn’t work well with ESPs

    • Receiver applies ESP’s reputation instead of client’s reputation

    • Many ESPs use 1 IP address for all their clients – reputation of 1 client can ruin reputation for others

  • Doesn’t survive forwarding (Goodguy  Forwarder  Recipient)

    • Forwarding system spam reputation probably mixed – in most cases blindly forwarding on spam

    • We need to apply Goodguy reputation – users want that mail in their inbox

    • How does recipient system know if they can trust forwarding system to validate header or message integrity?

  • Invisible to the user – they don’t know or care about IP addresses

22

http://antispam.yahoo.com/domainkeys


Domainkeys technology summary design goals l.jpg
DomainKeys technology summary: Design Goals today

  • Sufficiently secure for email authentication

  • Unobtrusive format

  • Minimize hurdles to initial deployment

    • No financial cost

    • Deployable at the border

    • Use existing infrastructure where possible

  • Provide migration path to more robust solutions

23

http://antispam.yahoo.com/domainkeys


Domainkeys technology summary how it works today l.jpg
DomainKeys technology summary: How it works today today

  • Public keys stored in DNS TXT records

  • Signature stored in email header

  • Signature protects headers and content

  • Authenticates domain only

  • Selectors provide fine-grained key management

24

http://antispam.yahoo.com/domainkeys


Public keys in the dns l.jpg

Dedicated namespace today

Public Keys in the DNS

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

25

http://antispam.yahoo.com/domainkeys


Selectors allow multiple keys l.jpg
Selectors allow multiple keys today

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

26

http://antispam.yahoo.com/domainkeys


Simple tag values syntax l.jpg
Simple tag=values syntax today

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

27

http://antispam.yahoo.com/domainkeys


Up to 2048 bit keys fit in a response l.jpg
Up to 2048 bit keys fit in a response today

200401._domainkey.example.net

IN TXT

"g=; k=rsa; p=MHww ... IDAQAB”

28

http://antispam.yahoo.com/domainkeys


Signature is stored as a header l.jpg
Signature is stored as a header today

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<[email protected]>

From: <[email protected]>

To: ….

29

http://antispam.yahoo.com/domainkeys


Selector and domain form the query l.jpg
Selector and Domain form the query today

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<[email protected]>

From: <[email protected]>

To: ….

30

http://antispam.yahoo.com/domainkeys


Query the dns for the public key l.jpg
Query the DNS for the Public Key today

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<[email protected]>

From: <[email protected]>

To: ….

31

http://antispam.yahoo.com/domainkeys


Signature covers all headers and body l.jpg
Signature covers all headers and body today

DomainKey-Signature: a=rsa-sha1;

q=dns; c=simple; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700 Message-ID:<[email protected]>

From: <[email protected]>

To: ….

32

http://antispam.yahoo.com/domainkeys


Survive folding l.jpg
Survive folding today

DomainKey-Signature: a=rsa-sha1;

q=dns; c=isfws; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<[email protected]>

From: <[email protected]>

To: ….

33

http://antispam.yahoo.com/domainkeys


Survive re ordering and insertion l.jpg
Survive re-ordering and insertion today

DomainKey-Signature: a=rsa-sha1;

q=dns; c=isfws; s=snake; d=yahoo-inc.com;

b=tU0…QrB;

h=Message-ID:To:Date:

Date: Tue, 03 Aug 2004 13:23:39 -0700

Message-ID:<[email protected]>

From: <[email protected]>

To: ….

34

http://antispam.yahoo.com/domainkeys


Domainkeys technology summary migration path l.jpg
DomainKeys technology summary: Migration Path today

  • DNS is just one query-type, other key servers allowed

  • Support for alternate queries allows for per-user keys

  • Canonicalization accepts reality but provides for preferred outcome

  • Deflect some controversy by offering sender choice at the cost of complexity

35

http://antispam.yahoo.com/domainkeys


Changes for domainkeys base 01 l.jpg
Changes for DomainKeys-base-01 today

  • Responsible domain – Sender: then From:

  • Responsible domain – email hostname a substring of “d=“

  • Canonicalization – 2-3 types, one contender is the Cisco ID-Mail form

  • Possible inclusion of a different key server as a key query type

36

http://antispam.yahoo.com/domainkeys


Status and next steps l.jpg
Status and Next Steps today

  • Internet draft submitted May 17 to IETF

  • Working with IETF to determine next steps – form working group(s) etc

  • Current working group has 4 independently developed interoperating implementations

  • Sendmail has published plugin for testing

  • Yahoo! Released a royalty free reference implementation for DomainKeys

  • Qmail patch in private trial

  • Yahoo.com plans to trial later this year

37

http://antispam.yahoo.com/domainkeys


More information and specification http antispam yahoo com domainkeys l.jpg

More information and specification: today

http://antispam.yahoo.com/domainkeys

38


Mail path l.jpg

List/Forwarding today

MTA server

Mail Path

25

25

ISP’s SMTPserver

Recipient MTA server & User Mailbox

X

Zombie/ open proxy (25)

39

http://antispam.yahoo.com/domainkeys


ad