Book Excerpt

Avoid phishing with e-mail authentication: Sender ID


What you will learn from this chapter excerpt: How Sender ID provides e-mail authentication and helps organizations avoid phishing.

Sender ID provides another authentication method. Microsoft began implementing Sender ID to protect mailboxes at Hotmail and MSN. Sender ID is a proposed specification developed within the MARID IETF Working Group between May and October 2004. Sender ID works by looking at information both in the "envelope" of the e-mail message and in the message itself.

Thought of as SPF + Caller ID, Sender ID compares that information with data published by domain owners in the Domain Name System (DNS), to confirm that the e-mail actually came from the domain that it appears to be from. For example, recipients could be sure an e-mail from fred@yahoo.com was actually from someone at the yahoo.com domain.

E-mail Security School
Attend our on-demand E-mail Security School webcasts and learn tactics for securing your e-mail systems while earning CPE credits from (ISC)2.
Sender ID consists of two parts: the SPF Classic plus PRA, allowing mail recipients to perform two kinds of checks.

Unfortunately, several major issues arose during the operation of the Sender ID working group, MTA Authentication for DNS (MARID), which led to its demise. Technical questions arose as to whether Sender ID would work as specified. Most of these questions were rooted in the basic differences between path authentication and message authentication and remain unresolved.

Microsoft also filed for patents on parts of Sender ID, making the developer community unhappy about the strict licensing and ownership control Microsoft exerted, such as requiring Sender ID implementers to sign a license agreement to protect undisclosed and unspecified patents. Although the actual patent application was eventually published toward the end of the life of MARID, it came too late.

Another factor in MARID's demise was that eager technology reporters frequently reported email authentication as the final cure for spam. This created great expectations for email authentication, which were dashed once the hard truth settled in that email authentication did not stop spam.

As a result, any useful work of the MARID group slowed to a crawl with the IETF eventually shutting down the group. Recently AOL has withdrawn its support and is falling back on Sender Policy Framework (SPF). Evidently AOL has technical concerns that Sender ID may not be fully backwardly compatible with the original SPF specification.


E-MAIL AUTHENTICATION

  Introduction
  The Sender Policy Framework (SPF)
  SenderID
  DomainKeys
  Cisco Identified Internet Mail

PHISHING: CUTTING THE IDENTITY THEFT LINE
By Rachael Lininger and Russel Dean Vines
334 pages; $29.99
John Wiley & Sons
Read Chapter 6, Helping your organization avoid phishing

This was first published in May 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: