How Will Authentication Reduce Global Spam?

1. Spammer? Phisher? How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking <http://brandenburg.com/current.html>

2. Questions About Email Authentication… • Will it stop spam, by itself, or do we need additional processes? • Will authentication prevent “phishing”? • Can we reduce spam without jeopardizing the sending oflegitimate email? D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

3.   ? ? Email Security Functions D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

4. What to Authenticate? D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

5. Spam Dilemmas • Nothing has yet reduced global spam! • So we should proceed tentatively • Unsolicited mail, from unknown author • Could be spam; could be legitimate • Spam is sent by army of compromised systems • Authentic signature can be is misleading • Assessing single signature is not enough • Mail clients do not show all the headers • And deceptions are often buried in the content • Users are not skilled or attentive to subtleties D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

6. Q1 – More Than Authentication? • Authentication means you know “who” • But nothing about whether they are ok • We need Authorization • We need Accreditation (Reputation) • Use layered defense – multiple tests • Message contents (maybe) • Message author • Message transfer service • Traffic analysis D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

7. Joe Job Fake ID to gain acceptance Phishing is Joe Job to get returned information Social engineering Criminals are very creative and very aggressive Is a police ID fake? Is URL fake?? Levels of importance Need levels of protection Bad guys are good at finding cracks defenses A good beginning: Sign all identifiers & content Upgrade email clients Create “reputation” services Educate users Spammer! Phisher! Q2 –Will It Prevent “Phishing”? D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

8. Is Legitimate Email Jeopardized? • If we are not very careful, then yes it is • Will restrict legitimate usage scenarios • Adds burden to everyone, not just bad guys • Adds long-term burden for short-term symptoms • Email is a rich, basic service • It can be used far more flexibly than most people realize… if we do not cripple it. D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

9. SPF and Sender-ID:Author Path Registration MSA must pre-register and trust each MTA in entire path! Assigns Sender and MailFrom MUA MSA MTA1 Did MSA authorize MTA1to send messages for domain? MTA2 Did MSA authorize MTA2? Peer MTA3 Did MSA authorize MTA3? Mail Agents MUA = User MSA = Submission MTA = Transfer MDA = Delivery Peer MTA4 MDA MUA D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004

10. In summary • Authentication is essential building block • Multiple authentications needed • Authorization and Accreditation also needed • Attackers are creative • This is a continuing battle • Email is at core of human activities • Efforts to stop bad behavior could also damage good behavior D. Crocker, Brandenburg InternetWorking OECD, Pusan / September 2004