Earthweb
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts


Search EarthWeb Network

internet.commerce
Be a Commerce Partner
Domain registration
Dental Insurance
Promote Your Website
Online Education
Promotional Pens
Boat Donations
Rackmount LCD Monitor
KVM Switches
Web Design
Promotional Products
Laptop Batteries
Baby Photo Contest
Car Donations
Server Racks

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Hello 'Certified Server,' Goodbye Spam

Hyper-V: The Killer Feature in Windows Server 2008
It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »

 
Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

 
Reduce Complexity and Costs with Microsoft Identity and Access Solutions
Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »

 
Virtualization from the Data Center to the Desktop
Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

Related Articles
Harvest Time For Spammers
Getting the Most Out of Firefox
Should You Disable Windows Scripting Host?
Why Can't Microsoft Catch Its Own Bugs?
Ctrl+Del To Control E-Mail Lists
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities
USSD Series - SDRAM-Based Solid State Drives to 256 GB
UltraSMS - Send SMS From Your PC
Sentinel Sensors - Wi-Fi Based Temperature Monitoring Especially For Cold Storage

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Whitepaper: Innovate Faster with Oracle Database 11g. Learn how you can innovate faster with Real Application Testing, manage more data for less with Advanced Partitioning & Compression & more.

Hello 'Certified Server,' Goodbye Spam
December 7, 2004
By Brian Livingston

Brian Livingston Have you ever experienced a difficult problem that seemed unsolvable — until you realized at the last moment that a simple solution was staring you right in the face?

Something like that is happening in the battle to eradicate spam.

Two major proposals to identify and screen out the senders of unsolicited bulk e-mail are from Microsoft, with its "Sender ID," and Yahoo.com, which is promoting "Domain Keys." But, as I reported in this space on Sept. 28, Sender ID was dealt a crushing blow when it was rejected by both America Online, the largest Internet service provider in the U.S., and the IETF (Internet Engineering Task Force), a key standards body.

Although that seemed at the time to be good news for Domain Keys, Yahoo's proposal requires a certain level of encryption to work. That's a prospect that can be daunting to companies with millions of messages to process each day.

While these two high-profile technologies were garnering all the publicity, a new antispam technique was quietly making the rounds at the E-Mail Authentication Summit held last month by the U.S. Federal Trade Commission. The new kid on the block is variously known as "Certified Server Validation" or "Client SMTP Validation" (CSV).

I just call it Certified Server. But you might call it an idea that's so simple and brilliant that it could actually succeed.

How Certified Server Fingers Spam

The Certified Server proposal requires just three lightning-fast tests, unlike other proposals that make heavy demands on corporate resources. Only features that have been standardized in Internet e-mail for years are employed by CSV. Here's how it would work:

Step 1: Authentication. Internet pioneer Jon Postel defined SMTP (Simple Mail Transport Protocol) back in 1982. Ever since then, a computer that wants to send e-mail to another computer begins a communication session by using a command called HELO (pronounced "hello"), followed by the sender's domain name. A few years ago, this concept was built upon to define an "extended hello." Most modern mail servers now use the new command, EHLO (pronounced "ee hello"). The beginning of an e-mail transmission from a server named "mail" at a company called Example.com might, therefore, look like this:

   EHLO mail.example.com

The Certified Server technique proposes that receiving mail servers should check whether the Internet Protocol (IP) address of the computer sending the hello matches the domain name's IP address. This is called a "forward lookup." It's extremely fast, because IP addresses and domain names are usually cached within a mail server's memory.

If the domain name in the hello and the IP address of the sending server match, Step 1 is passed. It's very likely that the receiving mail server is communicating with a known domain name.

Step 2: Authorization. Merely knowing that a communication session is coming from a recognized domain, however, doesn't prove that that communication is legitimate. The e-mail might be coming from a "zombie" — a computer that's been taken over by a virus and is now sending millions of pieces of spam.

The second step in CSV, therefore, is to determine whether the computer that's doing the sending is authorized to send mail for that domain name. In most companies, no matter how large their internal network, only a few servers are specialized to send out all the e-mail.

The Certified Server proposal calls for the receiving server to use the Domain Name Service (DNS) record of the domain name to find out which servers are so authorized. A response should come back that looks like this:

   _client._smtp.mail.example.com SRV 1 2 0 mail.example.com
   _client._smtp.www.example.com SRV 1 1 0 www.example.com

These two lines are SRV or "service" records. SRV is a feature of DNS that was first defined in February 2000. These records, which require only "one round-trip" from the receiving server to the sending server, are also very fast.

In this instance, the records certify that the server known as "mail" is authorized to send mail for Example.com, but the server known as "www" is not. That's the meaning of the "2" in the first line and the "1" in the second line.

If the administrator of the EHLO domain name hasn't authorized a specific computer to send mail, the receiving computer can simply reject the connection and refuse to accept any falsified mail, which is highly likely to be spam. Content-scoring spam filters, by contrast, require the receiving mail server to accept everything and then waste valuable time analyzing its content.

Step 3: Reputation. Refusing to take junk mail from bogus servers is a big help right there. But so far, we've only certified that the sending mail server is willing to identify itself truthfully as belonging to a registered domain name. Many companies that send spam are more than willing to identify themselves.

The final step in Certified Server, therefore, is to check the reputation of the domain name that wants to send mail. A large company can do this almost instantly by looking up the percentage of e-mail that previously came from this domain name that was spam. Optionally, a recipient could contract with any of a number of rating services that currently rate IP addresses, such as Spamhaus.org and BondedSender.

Such services could easily compute reputation scores for named domains, which would almost certainly be more reliable than rating IP addresses. It's increasingly hard to calculate reputation scores for IP addresses. Spammers quickly jump from address to address and use viruses to turn legitimate computers (and their IP addresses) into zombies.

That's why Certified Server is so promising. The company that owns a domain name enjoys password-protected access to that domain's DNS records. Spammers can't hijack them. Simply rejecting communications from unauthorized computers, and rejecting communications from authenticated domains that send mostly spam, can immediately cut down a huge volume of junk you'd ordinarily get.

All of the above takes a lot less time to do than it takes to explain.

The Road To IETF Adoption

If the three giants of e-mail — AOL, Yahoo, and Hotmail (which is owned by Microsoft) — ever agreed on a sender-authentication standard, that scheme would quickly be adopted by smaller parties. But the three industry leaders are going their own ways.

John R. Levine, the author of the bestselling book "The Internet for Dummies," is the chair of the IETF's Anti-Spam Working Group and is impressed with CSV. At the same time, he recognizes that Microsoft can put millions of dollars of marketing muscle behind Sender ID and induce many companies to try to implement it.

That's fine, says Levine. "They are not at all mutually exclusive," referring to Sender ID and CSV. "You can do both."

At the same time, Levine warns that the open-ended negotiations that the Sender ID protocol allows senders to initiate can be extremely expensive for the receiving computers. Levine set up a test server to handle requests conforming to the Sender ID spec and was shocked by the time that a malicious sender could consume. "It took an hour to get it," Levine said in a telephone interview.

The CSV proposal is close to IETF consideration. This means the simple standard (with the support of Levine and others) could receive a stamp of approval as early as 2005.

Security Implications Weigh Down Sender ID

The back-and-forth nature of the Sender ID authentication process is one of the biggest weaknesses of that proposal, according to Douglas Otis, a proponent of CSV. In a 10-page formal comment to the FTC's summit, Otis argued that mail servers following the Sender ID protocol would be open to devastating denial-of-service attacks.

As opposed to the onerous performance penalty that Otis says Sender ID would impose on companies, the adoption of CSV would actually reduce overhead. Three time-consuming steps that mail servers now perform to try to avoid spam — reverse DNS, address record, and MX record lookup — could be skipped by following the CSV protocol, he informed the FTC.

Levine warns that a different aspect of Sender ID might have even more serious consequences. He's published an analysis of patent applications on Sender ID that Microsoft released on Sept. 11. The IETF largely rejected Microsoft's proposed standard because of those applications. Levine found that the actual claims in the filings are "much broader" than anything Microsoft had previously disclosed.

Levine quotes from the text of the applications to show that Microsoft claims not just patent rights on anything similar to Sender ID, but also on spam filters that compute scores based on the content of messages. That's not the kind of patent that standards bodies have ever wanted anyone to have on an Internet protocol.

The Future May Hold Both CSV And Domain Keys

Dave Crocker, the principal of Brandenburg InternetWorking and another proponent of CSV, says corporations could adopt the Certified Server concept very soon and follow it up by adding Domain Keys when that protocol has been tested and refined.

"The thing about CSV is it's a one-hop mechanism," Crocker said in a telephone interview. Domain Keys, with its strong encryption strings, requires a larger investment but would complement CSV and guarantee that e-mail messages hadn't been altered in transit. "It will only cost about $100,000 to upgrade Yahoo.com for Domain Keys," Crocker points out. He notes that Yahoo is one of the largest e-mail providers in the world and that most companies would spend far less or nothing to convert.

One of the biggest e-mail players, AOL, is pounded by spam every day and seems ready to do something about it. It's been rumored that AOL has conducted test of parts of Sender ID, which haven't been entirely successful. But Sender ID is only one approach it's evaluating.

"We remain committed to other IP-based approaches and see a lot of benefit to the 'newer' CSV idea," said Carl Hutzler, director of antispam operations for AOL, in a posting last September.

"AOL already gets more than 85% of our spam from other ISPs' main outbound MTAs [mail transfer agents]. SPF, SenderID, and Domainkeys will not change that, as this mail also uses the legit domain of that local ISP," Hutzler continued. "CSV and certain best practice documents shift the responsibility to the sending organization for the mess they create through their insecure networks and insecure practices..."

In an e-mail interview, Hutzler confirmed that AOL plans to test some form of Certified Server technology. "CSV provides a way for someone to take responsibility for an email that is about to be sent, and by someone we mean the domain owner specified in the HELO," Hutzler says. "We will be testing a very modified CSV approach in late Q1/early Q2 [2005] in conjunction with our Sender ID/SPF testing."

Conclusion

At the moment, there's nothing about Certified Server that corporations can adopt today. While discussions within the IETF go forward, important details such as the exact format of the SRV records mentioned above could change.

But that doesn't mean that you can't inform yourself about this simple technique that could have a big payoff.

Detailed information about the proposal is available at the Web site of the Mutual Internet Practices Association, a not-for-profit trade organization. Give it a look.

Brian Livingston is the editor of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Tools:
Add itmanagement.earthweb.com to your favorites
Add itmanagement.earthweb.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES