Principal Scientist,
VeriSign Inc.
Unwanted and indiscriminate email messages, commonly known as spam are an increasing nuisance for Internet users. The costs of spam are documented at great (and increasing) length elsewhere [PHB] and require no further elaboration here.
In this paper we examine the use of authentication and accreditation mechanisms as tools to mitigate spam. We use the term authentication to refer to verification of information presented in the email message itself, in particular the authenticity of the purported email address of the sender and the domain name of the transferring server exchanged in the SMTP initialization sequence. We use the term accreditation to refer to mechanisms that provide information from a third party that concerns an authenticated email sender.
Several proposals have been made that employ authentication and accreditation to mitigate spam[PHB][RMX][SPF][Vixie][Lumos][TEOS], in most cases the differences between proposals based on the same underlying technique are superficial, relating to choice of syntax rather than fundamental differences of approach. The field is also an active one subject to rapid change. Our treatment is therefore a high level one, considering the potential of the underlying mechanisms rather than particular proposals. We expect that any successfully deployed scheme will be at least capable of extension to support each of the authentication and accreditation levels set out in this paper.
Authentication and accreditation offer three types of potential benefit.
The elimination of spam that fails the authentication checks in such a way that it can be positively identified as being spam.
Ensuring that legitimate email is delivered and not either eliminated or quarantined as a ‘false positive’
Increasing the effectiveness of other forms of control, including filtering.
These benefits may be mutually reinforcing. For example an authentication mechanism that allows a significant proportion legitimate email to be identified with certainty would permit more aggressive filtering criteria to be applied to the residue of non-authenticated email without an unacceptable rise in the number of false positives.
Authentication and accreditation mechanisms are also subject to a strong ‘network effect’. As authentication techniques are more widely used it is likely that the criteria used to filter non-authenticated email will become progressively more aggressive. As a result legitimate email senders will have an increased incentive to authenticate their emails in order to ensure that they are received and read by the intended recipient. Eventually a ‘tipping point’ is reached at which the deployment of authenticated email becomes self-sustaining.
Unfortunately while network effects result in rapid self-sustaining growth once the tipping point is reached, a mechanism that only offers benefits through the network effect offers no benefit to early adopters. The corollary of the network effect is thus the chicken and egg problem.
One of the main objections made against using authentication mechanisms to control spam is that mechanisms that do no more than authenticate the domain name of the email sender can only eliminate certain types of spam rather than being effective against spam in general. This argument would hold considerable weight if all forms of spam were equally objectionable and there was no benefit to denying spammers the use of certain tactics.
In practice neither condition holds. While all spam is objectionable, not all of it is sent with the intention of defrauding the recipient or the commission of some other criminal scheme. Nor is the use of techniques by spammers that may be defeated through authentication a casual one. These tactics are employed because they allow a spammer to increase the effectiveness of their solicitations and as a result increase their profits. Denying the use of these techniques increases the difficulty of sending spam and reduces the incentives to do so.
It is important therefore to identify the specific types of spam attack that authentication techniques can mitigate or eliminate. We consider the following categories.
Impersonation Spam
Also known as ‘Joe jobs’, this type of spam impersonates another user. This
technique is frequently used to ensure that complaints resulting from the spam
are directed at another party. Another use of this technique that is of
particular concern is the impersonation of a well-known brand (often an auction
site or financial institution) with the objective of performing identity theft
fraud.
Hijacked Platform Spam
Spammers have always attempted to conceal the source of their activities and to
displace their costs onto other parties. One way to achieve both these ends is
send spam from computers that have been compromised by hackers. There is
evidence that suggests that a black-market exists in which hackers sell
compromised machines to spammers [Spitz].
Criminal Solicitations
A spammer who is engaged in a criminal scheme such as consumer fraud, identity
theft or advance fee fraud must take steps to avoid arrest and prosecution. In
most cases this means that the spammer will attempt to conceal their identity
and in many cases the spammer will also make use of a foreign jurisdiction that
is unlikely to cooperate with extradition requests.
Bulk Spam
We define bulk spam to be email that is sent indiscriminately to a very large
number of recipients, such that the cost of handing the volume of email becomes
a significant burden in itself. For the purposes of this paper we will consider
a spam mailing of a million messages or more to be bulk spam, although this
threshold is essentially arbitrary.
Infrastructure Attack
We define an infrastructure attack to be an attack against the critical
infrastructure of the Internet, in particular the routing infrastructure and
the DNS. To date the incentive to perform such attacks has been limited. The
few attacks that have occurred have tended to use techniques that have had only a limited impact on the
infrastructure itself, for example advertising BGP routes for unallocated or
unused IP address blocks. The deployment of lightweight authentication
mechanisms that can be defeated through infrastructure attack will dramatically
change the incentives for spammers to defeat them. Accordingly this form of
attack must be considered very seriously even though it is currently very rare.
These categories are not exclusive. It is highly likely that an impersonation spam will also contain a criminal solicitation and be sent from a hijacked platform.
It should be noted that in each case these categories represent types of spam that is generally considered to be ‘the worst of the worst’ having effects that go far beyond mere irritation of the intended recipient.
Ensuring the delivery of legitimate email is at least as important as eliminating spam. Otherwise we could guarantee the elimination of all spam by switching off the Internet.The following cases are defined in order of increasing generality:
Existing
Contacts
Legitimate email is guaranteed delivery provided that it is sent by an existing
contact known to the recipient.
Trustworthy Senders
Legitimate email is guaranteed delivery
provided that an sender consideredt to meet a criteria defined by the sender to
be ‘trustworthy’sent it. It is not
necessary [1]for either the receiver to identify the individual
sender as being trusted.
Although the implementation of a trustworthy sender
is almost certain to depend on some form of accreditation mechanism such as
those described below, the distinction between a trustworthy sender and an
accredited sender is an important one. Any party may recognize a sender as
being ‘accredited’ but it is the recipient who decides whether to accept that
accreditation as implying trustworthiness.
In addition to allowing direct control of certain types of spam, authentication and accreditation mechanisms may enable or improve the effectiveness of other forms of spam control. For example, the chief difficulty in spam prosecutions is discovering the identity of the spammer.
Prosecution & Litigation
In any case that a spammer commits a crime or civil tort in connection with a
spam there is an opportunity for criminal prosecution or civil litigation,
provided that the spammer can be identified.
Abuse penalties
A party that breaks an undertaking to comply with an email use policy may be
liable for specified penalties and/or compensation claims if the undertaking is
broken.
Reputation
The ability to tie an email sender to an identity that is not easily
replaced provides a basis for holding the sender accountable.
Authentication mechanisms provide the recipient of an email with an assurance that the purported origin is genuine.
DNS Authentication
The origin of the email is authenticated by means of information published in
the DNS zone corresponding to the purported ‘from’ address.
PKI Authentication
The origin of the email is authenticated by means of a digital signature that
is cryptographically bound to the message itself.
DNS authentication is effective in eliminating impersonation spam and hijacked platform spam and allows a delivery assurance to be provided for email from existing contacts. The authentication provided through DNS authentication is strong but not unbreakable and can be defeated by means of infrastructure attacks.
The first proposal to use DNS based authentication was written by Paul Vixie after an idea credited to Jim Miller [Vixie]. More recent proposals [RMX][SPF] differ in implementation details but these affect only ease of administration or efficiency rather than basic principles. PKI authentication provides the same benefits as DNS authentication but in addition is resistant to infrastructure attacks.
PKI based authentication mechanisms may be message based [SMIME][PGP] or transport based [SSL][StartTLS]. Message based authentication provides robust end to end security but existing standards are written with a view to identifying the end user rather than the ISP or Enterprise transporting the email. For purposes of spam control it is generally preferable to authenticate and hold accountable ISPs and Enterprises rather than attempting to track the behavior of hundreds of millions of individual end users. Transport based PKI authentication is designed to provide authentication at the ISP or Enterprise level but the authentication information is lost in forwarding.
One of the drawbacks of any PKI based authentication mechanism is the processing time required to perform PKI operations. These costs may be mitigated using commonly available cryptography-acceleration products.
We distinguish between the following types of accreditation:
Identity Accreditation
The email sender has provided a real world identity and a physical address at
which legal process can be served and this information has been authenticated
by means of some trustworthy process.
Policy Accreditation
In addition to meeting the identity accreditation requirements, the email
sender has undertaken to comply with a specified email sending policy.
Reputation Accreditation
In addition to meeting the policy accreditation requirements, the email sender
has been determined to be in compliance with those requirements.
These levels of accreditation represent an increasing commitment in terms of cost and complexity.
Identity accreditation provides a full delivery assurance for email from existing contacts and a partial assurance for email from existing domains and accredited senders. In addition identity accreditation increases the effectiveness of prosecution, litigation and reputation controls.
Policy accreditation provides in addition a full delivery assurance to be provided for email from existing domains and accredited senders and allows the imposition of abuse penalty controls.
Reputation accreditation provides a greater degree of assurance that a policy accreditation has not been abused to send spam.
For an accreditation scheme to be effective it must be used in conjunction with an authentication mechanism. In the case of the Bonded Sender program [Bonded] senders are authenticated by means of the IP address of the originating server in a manner similar to that of the DNS based authentication schemes. Project Lumos [Lumos] and TEOS [TEOS] use PKI based authentication mechanisms.
Small-scale trials of security technologies tend to overstate their effectiveness when ubiquitously deployed since it is not worthwhile for an attacker to break a system until there is sufficient incentive to do so. This is one of the reasons why spam control measures developed in the research lab frequently prove disappointing when deployed on a wider scale.
The unknown factor in planning for authentication based spam control is the determination and ability of the attackers. Providing increased levels of assurance incurs increased costs. It is highly likely that a debate on the level of assurance necessary to defeat spam senders in advance of deployment will be a productive one.
Instead of advocating a particular level of security we present a series of authentication and accreditation levels that are ranked in order of increasing cost.
Level 1 DNS Authentication
Level 2 DNS Authentication + Identity Accreditation
Level 3A DNS Authentication + Policy Accreditation
Level 3B PKI Authentication + Identity Accreditation
Level 4 PKI Authentication + Policy Accreditation
Assurance levels 3A and 3B are grouped together since these may be realized in either order. It is likely that in practice these would represent intermediate stages towards a comprehensive deployment of a full-featured level 4 infrastructure. The principal cost involved in the issue of PKI credentials is the authentication of the subject’s identity rather than management of public key credentials.
Table 1 Cost and Benefits of Increasing Authentication and Accreditation Levels.
|
Level |
Mechanism |
Cost |
Effective Against |
Delivery Assurance |
Enable Control |
|
1 |
DNS Authentication |
Negligible |
Impersonation spam |
Existing contacts |
|
|
2 |
DNS Authentication + Identity Accreditation |
Registration of identity |
Impersonation spam |
Existing contacts |
Prosecution & Litigation |
|
3A |
DNS Authentication + Policy Accreditation |
Registration of identity |
Impersonation spam |
Existing contacts |
Prosecution & Litigation |
|
3B |
PKI Authentication + Identity Accreditation |
Registration of identity |
Impersonation spam |
Existing contacts |
Prosecution & Litigation |
|
4 |
PKI Authentication + Policy Accreditation |
Registration of identity |
Impersonation spam |
Existing contacts |
Prosecution & Litigation |
[Bonded] Bonded Sender, http://www.bondedsender.org/
[Lumos] Network Advertising Initiative Email Service Provider Coalition Project Lumos: A Solutions Blueprint for Solving the Spam Problem by Establishing Volume Email Sender Accountability, September 2003, http://www.networkadvertising.org/espc/Project_Lumos_White_Paper.pdf
[PGP] Elkins, M., Del Torto, D., Levien, R. and T. Roessler, MIME Security with OpenPGP, RFC 3156, August 2001. http://www.ietf.org/rfc/rfc3156.txt
[PHB] Phillip Hallam-Baker, A Plan for No Spam, VeriSign Inc. May 2003, http://www.verisign.com/resources/wp/spam/no_spam.pdf
[RMX] Hadmut Danisch, The RMX DNS RR and method for lightweight SMTP sender authorization, Internet Draft draft-danisch-dns-rr-smtp-03.txt, Oct 2003, http://www.danisch.de/work/security/antispam.html
[SMIME] B. Ramsdell, S/MIME Version 3 Message Specification, IETF RFC 2633 June 1999, http://www.ietf.org/rfc/rfc2633.txt
[SPF] Meng Weng Wong, Sender Permitted From A Convention to Identify Hosts Authorized to Send SMTP Traffic, Internet Draft draft-mengwong-spf-02.txt November 2003 http://spf.pobox.com/draft-mengwong-spf-02.txt
[Spitz] Lance Spitzner Honeypots: Tracking Hackers Addison-Wesley, September 2002, http://www.tracking-hackers.com/book/
[SSL] Dierks, T. and C. Allen, The TLS Protocol Version 1.0, RFC 2246, January 1999. http://www.ietf.org/rfc/rfc2246.txt
[StartTLS] P. Hoffman, SMTP Service Extension for Secure SMTP over Transport Layer Security, February 2002, http://www.ietf.org/rfc/rfc3207
[TEOS] Vincent Schiavone et. al. Trusted Open Email Standard, May 2003, http://eprivacygroup.net/teos/TEOSwhitepaper1.pdf
[Vixie] Paul Vixie, Repudiating MAIL FROM, Internet Draft, June 6, 2002, http://ops.ietf.org/lists/namedroppers/namedroppers.2002/msg02158.html