EMail Quality is a matter of good System Hygiene

1. EMail Quality is a matter of good System Hygiene Eliot Lear Senior Consulting Engineer

2. Where does it come from? Bad people will send bad mail • Reputation is both important... Good people will send bad mail • … and dynamic! Identity is important • Know who sent what Source: Senderbase.org (12:14pm)

3. There’s a Problem We suspect increased spear-phishing, which doesn’t show up in the numbers We can identify and get rid of a whole lot of this stuff. 95% of spam originates from Bots • (the biggest use of cloud computing to date) It’s even worse than it looks Source: Cisco Ironport, December 2009

4. How much of this goes on? Source: IC3.gov – US statistics

5. What’s New and Different? Domain Keys Identified Mail (DKIM) • RFC-4871 • Identifies responsible domain Author Domain Signing Practices (ADSP) • RFC-5617 • Indicates what policy a domain has toward signing TERENA members are in a unique position to apply a uniform policy (ADSP or not).

6. What does a real PayPal Email look like? Return-Path: <payment@paypal.com> Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231]) by upstairs.ofcourseimright.com (8.14.3/8.14.3/Debian-6) with ESMTP id n9E8KIwI026171 for <xxx@ofcourseimright.com>; Wed, 14 Oct 2009 10:20:39 +0200 Authentication-Results: upstairs.ofcourseimright.com; dkim=pass (1024-bit key; insecure key) header.i=service@paypal.ch; dkim-adsp=none (insecure policy) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal.ch; i=service@paypal.ch; q=dns/txt; s=dkim; t=1255508439; x=1287044439; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"service@paypal.ch"=20<service@paypal.ch> |Subject:=20Receipt=20for=20Your=20Payment=20to=XXX |Date:=20Wed,=2014=20Oct=202009=2001:20:17=20-0700| |Message-Id:=20<1255508417.22290@paypal.co m>|To:=20Eliot=20Lear=20<paypal@ofcourseimright.com> |MIME-Version:=201.0; bh=q82fwVBPBq26WHflKsNcdbCIf3Vcc5wRznZ9tfI8+8k=; b=OPyR7evc/VcnTZyDZSlYCh9oLm+vmKt8qsocqMrAr7y/kg3P5+DhO3mB UDbhkCvqu+owm45X1te+PxoREXR9aMEuuD20ltP2B5f5JWf/MjICk6zc6 gYv6pY6ZRFKclXFGvtViJwv0LsW8N7uaoiZCAh5mxrjfuJaF+SmNyX23c I=; Received: (qmail 22290 invoked by uid 99); 14 Oct 2009 08:20:17 -0000 Date: Wed, 14 Oct 2009 01:20:17 -0700 Message-Id: <1255508417.22290@paypal.com> Subject: Receipt for Your Payment to XXXX X-MaxCode-Template: email-receipt-xclick-payment To: Eliot Lear <xxx@ofcourseimright.com> From: "service@paypal.ch" <service@paypal.ch> X-Email-Type-Id: PP120 X-XPT-XSL-Name: email_pimp/CH/en_US/xclick/ReceiptXClickPayment.xsl Content-Type: multipart/alternative; boundary=--NextPart_048F8BC8A2197DE2036A MIME-Version: 1.0 Return-Path: <paypal@service.com> Received: from mail.realinterface.com (mail.cecreal.com [66.101.212.157]) by upstairs.ofcourseimright.com with ESMTP id n9GAJ9h3022332 for <lear@ofcourseimright.com>; Fri, 16 Oct 2009 12:19:31 +0200 Received: from dynamic.casa1-15-233-12-196.wanamaroc.com ([196.12.233.14]) by mail.realinterface.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 16 Oct 2009 06:32:45 -0400 From: "PayPal Services" <paypal@service.com> To: "lear" <lear@ofcourseimright.com> Subject: Your PayPal account has been Limited Date: Fri, 16 Oct 2009 10:18:53 +0000 Organization: PayPal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01C6527E.AE8904D0" Message-ID: <RI1BvDvIMYk5XYA4IyF00002a42@mail.realinterface.com> X-OriginalArrivalTime: 16 Oct 2009 10:32:45.0859 (UTC) FILETIME=[00099730:01CA4E4C]

7. Level of Assurance Cost = cost of the token + inconvenience to the user. • 300,000,000 X $25 = • a whole lot of money How many of these do you want to carry? How often do you want to use them? What value is possible? Pictures courtesy of Alexander Klink, Aladdin, “Greudin”, IBM

8. Is this privileged enough?

9. Problems with “Privileged Interfaces” On a PC, they may never be privileged enough You can’t take them with you They are extremely fragile today • Requires synchronization with browser, OS, and blog software

10. Is All Lost? There is a substantial web of transitive trust for hackers. A plethora of web sites does not make for a plethora of passwords. Lack of email confidence contributes by obscuring problems. Having an identity provider reduces passwords. Having few identity providers increases risk concentration. Privileged UIs are hard Hardware is expensive Old Man in Sorrow by Van Gogh

11. Maybe not so. Conclusions There exist hardware and software that addresses this space. Employers and universities REQUIRE federated solutions for ease of authorization. Many of us separate passwords by sensitivity and purpose. Maybe the same will be true with IdPs. It took centuries for the current banking ecosystem to evolve. The last three decades have already been a revolution. More to come! Courtesy D. Sharon Pruitt

12. One organization worth mentioning Mail Anti-Abuse Working Group • A forum for service providers, anti-spam vendors, mailing list service providers, and others http://www.maawg.org

13. Thanks! Questions?