[82396] in North American Network Operators' Group
Re: E-mail Authentication Implementation Summit 2005?
daemon@ATHENA.MIT.EDU (Douglas Otis)
Thu Jul 14 21:58:35 2005
In-Reply-To: <20050713.162342.27124.77172@webmail17.lax.untd.com>
From: Douglas Otis <dotis@mail-abuse.org>
Date: Thu, 14 Jul 2005 18:58:01 -0700
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Jul 13, 2005, at 6:57 PM, Fergie (Paul Ferguson) wrote:
>
> Just curious: Did any readers of the list participate in
> this summit?
While the event was focused upon advocating the use of Sender-ID now,
and DKIM later, there was some information made available regarding
Sender-ID not normally heard. I raised a question again in the
smaller technical break-out about reputation protection on shared
servers (made at the FTC presentation, the Open Source presentation
in Boston, the MAAWG in San Diego, and now again at this forum in New
York). In essence, the answer following the technical presentation
by Harry and Meng was that no technology is perfect. I wish to
commend Esther Dyson for asking the question again at the next two
panels during the full session.
The first was an executive round table concerning eCommerce and
Marketing. She asked how they dealt with the shared server issue.
There was acknowledgment of the reputation concern and that they were
migrating clients to ensure each had unique outbound IP addresses.
Finally an answer. Esther also continued this point at the next
panel concerning DKIM by asking whether DKIM was also a solution for
the shared server problem. Of course the answer was yes.
While Sender-ID may be readily available today, so is DomainKeys
where DKIM is upwardly compatible. DKIM solves some of the issues
which hampered the DomainKeys deployment when support calls were
generated by those asking about the Sender header added to the
message. DKIM no longer requires the signer be bound to either the
Sender or From header.
Sender-ID does not have a solution for the sender that addresses the
forwarded account problem, and many recipients are not honoring the
'~' or '?' syntax that attempts to mitigate this problem. This
syntax is exploited by abusers, which causes some to not accept mail
resulting in either 'neutral' or 'soft-fail.' Again, DomainKeys and
DKIM offer a solution for forwarding accounts, and the shared server
problem.
There was a chart indicating 2.7% of the domains publish SPF records,
with much of this by spammers. Only by including reputation, will
email authentication provide relief from abuse. It was also pointed
out that Hotmail only makes the Resent-From header visible when there
was a validation failure, which leaves consumers still vulnerable to
phishing exploits. Of course, normal email clients will also expose
consumers to phishing even with Sender-ID validation.
-Doug