Authentication & Reputation – Adding Business Value in The Real WorldAuthentication & Reputation – Adding Business Value in The Real World
Agenda
1. Introductions & Agenda Review
2. The Big Picture
3. IP-based Blocklists and Reputation
4. Domain-based Authentication & Reputation
5. The Future
6. Q&A
Introductions
• Patrick Peterson, Vice President Technology, IronPort Systems
• Alberto Mujica, President and CEO, Reputation Technologies, Inc
• Barry Abel, VP of Field Operations, Message Systems
• Bill McInnis, Director, Message Level
REPUTATION
CERTIFICATION
The Big Picture
1
4
Who do you claim to be?
Validate Identity
Risk of badness/probability of goodness based on historical factors
Third-party affirmation
Make decision, take action
IDENTITY
ACTION
2AUTHENTICATION
3
Identity
• Patrick Richard Peterson– Allow onto airplane?– Allow into USA?– Owner of house on Whitney Street, San
Francisco, CA?
• IronPort Systems– Credit worthy?
• www.cisco.com– Authorized resellers?
Authentication (of Identity)
• Handshake• Photograph• Chip• Fingerprint• Signature, Notary• Retina scan
Consumer Credit Reputation
Three Credit Bureaus sell credit reports
Fair Isaac provides underlying technology“Fair Isaac Corporation (NYSE: FIC) is the leading provider of decision management solutions powered by advanced analytics. … Today, the company’s solutions, software and consulting services power more than 180 billion smarter business decisions each year for companies worldwide.”
Business Credit Reputation
D&B (NYSE:DNB) is the world’s leading source of commercial information and insight on businesses, enabling companies to Decide with Confidence® for over 165 years.
Certification
• Third-party that certifies (accredits) that an entity complies with certain standards or practices
Facts aboutIP Based Authentication
Not really authentication, better referred to as identification
Difficult or impossible to spoof
IP based identification runs into limitations when
Senders are on shared email servers(Like giving a license to a car and not a person)
Behind proxies
Senders would like to send different kinds of messages from the same IP
RBLs provide Good/Bad responses, not a range of responses
Current Situation withIP Based Authentication
DKIM and/or SPF authentication are prerequisites for domain based authentication and therefore reputation
Once either SPF and/or DKIM are widely adoptedreputation can be based on domain names
Email reputation providers like ReturnPath, Habeas and Reputation Technologies require static IP addresses
Because SPF and DKIM are not yet over the tipping point email reputation providers like ReturnPath, Habeas and Reputation Technologies have to use IP identification instead of domain authentication
Fast> Flexible> Focused>
Barry Abel, Message SystemsVP Field Operations
13Fast > Flexible > Focused
Authenticating Domains
SenderID and DKIM
Both work to verify that every e-mail message originates from the Internet domain from which it claims to have been sent.
14Fast > Flexible > Focused
SenderID
15Fast > Flexible > Focused
DKIM
16Fast > Flexible > Focused
Current Status of DKIM & Sender ID
DKIM The Internet Engineering Task Force (IETF) made DKIM a
standard in May 2007 Already in wide use
Sender ID* Every day, 20 million forged messages are detected by Sender
ID-enabled domains. Reputable marketers that have adopted Sender ID have realized
improved deliverability, with up to 85 percent fewer messages mistakenly marked as spam in Windows Live Hotmail.
With spam increasing 40 percent in the past 12 months, spam in Hotmail users’ inboxes has actually been reduced by 50 percent; Sender ID contributed 8 percent of that reduction.
*Microsoft news release dated 5/18/07
Bill McInnisDirector, Message Level
DO SOMETHING!!!
Strongly worded suggestions being offered by Associations for members to implement SPF and DKIM
DMA, BITS, ESPC Example: BITS is recommending TLS, SPF, SIDF and DKIM
within 18 months
Associations can talk 10x faster than their constituents can move
Many ISPs are committed to using authentication to evaluate email
Hotmail Yahoo/Gmail
SPF and DKIM pros
SPF Allows companies to identify mail servers where
mail is authorized to come from Relatively easy for senders to support Many ISPs utilize SPF as a factor in email
deliveryDKIM More heavyweight solution Allows a company to cryptographically sign an
email Allows ISP’s to identify signatures and
associated messages that compute correctly and handle those messages different
SPF and DKIM Cons
SPF Breaks some current use cases of email – Forwarding,
etc Senders don’t know what receivers are doing, if
anything Doesn’t not protect anything the end users sees – 2821
address (xyz.com) 2822 address (chase.com) – Does this make SPF worth much of anything?
DKIM Doesn’t break forwarding - No reliable replay protection
– Potential for signature breakage Cannot reliable detect bad messages No data for senders Many traditional problems associated with PKI key
propagation and changes
Authentication Alone Createsa False Sense of Security
Delivered-To: [email protected]: by 10.67.65.8 with SMTP id s8cs550968ugk;
Tue, 8 May 2007 10:05:35 -0700 (PDT)Received: by 10.90.105.19 with SMTP id d19mr6545698agc.1178643934853;
Tue, 08 May 2007 10:05:34 -0700 (PDT)Return-Path: [email protected]: from mail03.bankofamerica.cl (mail03.bankofamerica.cl [200.75.25.175])
by mx.google.com with ESMTP id 14si2200432wrl.2007.05.08.10.05.33;Tue, 08 May 2007 10:05:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 200.75.25.175 as permitted sender)From: "Bank of America" [email protected]: [email protected]: Reactivate your Account
Top Related