Authentication & Reputation, Adding Business Value In The Real World

Authentication & Reputation – Adding Business Value in The Real World

Agenda

Introductions & Agenda Review

The Big Picture

IP-based Blocklists and Reputation

Domain-based Authentication & Reputation

The Future

Q&A

Introductions

Patrick Peterson, Vice President Technology, IronPort Systems

Alberto Mujica, President and CEO, Reputation Technologies, Inc

Barry Abel, VP of Field Operations, Message Systems

Bill McInnis, Director, Message Level

The Big Picture REPUTATION CERTIFICATION 1 4 Who do you claim to be? Validate Identity Risk of badness/probability of goodness based on historical factors Third-party affirmation Make decision, take action IDENTITY ACTION 2 AUTHENTICATION 3

Identity

Patrick Richard Peterson

Allow onto airplane?

Allow into USA?

Owner of house on Whitney Street, San Francisco, CA?

IronPort Systems

Credit worthy?

www.cisco.com

Authorized resellers?

Authentication (of Identity)

Handshake

Photograph

Chip

Fingerprint

Signature, Notary

Retina scan

Consumer Credit Reputation

Three Credit Bureaus sell credit reports

Fair Isaac provides underlying technology

“ Fair Isaac Corporation (NYSE: FIC) is the leading provider of decision management solutions powered by advanced analytics. … Today, the company’s solutions, software and consulting services power more than 180 billion smarter business decisions each year for companies worldwide.”

Business Credit Reputation

D&B ( NYSE:DNB ) is the world’s leading source of commercial information and insight on businesses, enabling companies to Decide with Confidence® for over 165 years.

Certification

Third-party that certifies (accredits) that an entity complies with certain standards or practices

Facts about IP Based Authentication

Not really authentication, better referred to as identification

Difficult or impossible to spoof

IP based identification runs into limitations when

Senders are on shared email servers (Like giving a license to a car and not a person)

Behind proxies

Senders would like to send different kinds of messages from the same IP

RBLs provide Good/Bad responses, not a range of responses

Current Situation with IP Based Authentication

DKIM and/or SPF authentication are prerequisites for domain based authentication and therefore reputation

Once either SPF and/or DKIM are widely adopted reputation can be based on domain names

Email reputation providers like ReturnPath, Habeas and Reputation Technologies require static IP addresses

Because SPF and DKIM are not yet over the tipping point email reputation providers like ReturnPath, Habeas and Reputation Technologies have to use IP identification instead of domain authentication

Barry Abel, Message Systems VP Field Operations

Authenticating Domains

SenderID and DKIM

Both work to verify that every e-mail message originates from the Internet domain from which it claims to have been sent.

SenderID

DKIM

Current Status of DKIM & Sender ID

DKIM

The Internet Engineering Task Force (IETF) made DKIM a standard in May 2007

Already in wide use

Sender ID*

Every day, 20 million forged messages are detected by Sender ID-enabled domains.

Reputable marketers that have adopted Sender ID have realized improved deliverability, with up to 85 percent fewer messages mistakenly marked as spam in Windows Live Hotmail.

With spam increasing 40 percent in the past 12 months, spam in Hotmail users’ inboxes has actually been reduced by 50 percent; Sender ID contributed 8 percent of that reduction.

*Microsoft news release dated 5/18/07

Why Use Domain Authentication

ISP are using various technologies to protect their customers and themselves.

Like going into battle ISP need multiple layers of protection

Authentication/Reputation

Anti-spam

Anti-virus

Policy Enforcement

To gain access through these lines of defense you need to have the same technologies.

Bill McInnis

Director, Message Level

DO SOMETHING!!!

Strongly worded suggestions being offered by Associations for members to implement SPF and DKIM

DMA, BITS, ESPC

Example: BITS is recommending TLS, SPF, SIDF and DKIM within 18 months

Associations can talk 10x faster than their constituents can move

Many ISPs are committed to using authentication to evaluate email

Hotmail

Yahoo/Gmail

SPF and DKIM pros

SPF

Allows companies to identify mail servers where mail is authorized to come from

Relatively easy for senders to support

Many ISPs utilize SPF as a factor in email delivery

DKIM

More heavyweight solution

Allows a company to cryptographically sign an email

Allows ISP’s to identify signatures and associated messages that compute correctly and handle those messages different

SPF and DKIM Cons

SPF

Breaks some current use cases of email – Forwarding, etc

Senders don’t know what receivers are doing, if anything

Doesn’t not protect anything the end users sees – 2821 address (xyz.com) 2822 address (chase.com) – Does this make SPF worth much of anything?

DKIM

Doesn’t break forwarding - No reliable replay protection –

Potential for signature breakage

Cannot reliable detect bad messages

No data for senders

Many traditional problems associated with PKI key propagation and changes

Authentication Alone Creates a False Sense of Security Delivered-To: [email_address] Received: by 10.67.65.8 with SMTP id s8cs550968ugk; Tue, 8 May 2007 10:05:35 -0700 (PDT) Received: by 10.90.105.19 with SMTP id d19mr6545698agc.1178643934853; Tue, 08 May 2007 10:05:34 -0700 (PDT) Return-Path: [email_address] Received: from mail03.bankofamerica.cl (mail03.bankofamerica.cl [200.75.25.175]) by mx.google.com with ESMTP id 14si2200432wrl.2007.05.08.10.05.33; Tue, 08 May 2007 10:05:34 -0700 (PDT) Received-SPF: pass (google.com: domain of administrator@bankofamerica.cl designates 200.75.25.175 as permitted sender) From: "Bank of America" [email_address] To: [email_address] Subject: Reactivate your Account