Determining Sender Reputation

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

The concept of sender reputation has long been a potent tool in the messaging abuse arsenal. However, being able to identity a sender with certainty, via authentication that an email is actually coming from who it claims to be, will make reputation even more powerful. In June, the Messaging Anti-Abuse Working Group (MAAWG) issued Trust in Email Begins with Authentication (pdf) which explains the relationship between authentication and reputation in this way: “At its simplest, identifying Good Actors can be divided into two activities: A safe means of identifying a participant—such as an author or an operator of an email service—and then a useful means of assessing their trustworthiness. The first activity is called authentication and the second is usually called reputation assessment.”

The most common authentication mechanisms include: Sender Policy Framework (SPF), Sender Identification Framework (Sender ID or SIDF) and DomainKeys Identified Mail (DKIM). “SPF and SenderID have been stable for some years now; both the potential benefits and potential pitfalls are fairly well understood,” says J.D. Falk, MAAWG program committee co-chair and Return Path director of product strategy. “At this point, industry attention is largely focused on DKIM.” As Falk states, it has been many years since authentication came on the messaging abuse scene, but not everyone understands what it is. “The largest barrier to adoption is understanding,” continues Falk. “Attempts to oversimplify what DKIM does—and what it doesn’t—have led to widespread belief that it’s an anti-spam technology, but what it’ll actually do is assist in identifying NON-spam mail. And even there, the mere presence of a DKIM signature isn’t a guarantee that the mail isn’t spam. ISPs and others on the receiving side will still have to make that determination for themselves; DKIM just gives them more accurate data to base the decision on.”

Contrary to common thought, receivers are the beneficiary of DKIM. Many think that authenticating is a high-volume sender benefit, ensuring deliverability of mail, but actually it is just as beneficial to receivers and organizations of all sizes. “I view DKIM primary from the receiver’s point of view—whenever you get an email message, you want certainty that it is from who you think it came from,” says Arvel Hathcock, founder and CEO of Alt-N Technologies and Internet Engineering Task Force (IETF) working group member. “Today, DKIM is the way of doing that from the receiver’s point of view. There is no reason why receivers should not be interested in this. In my opinion all receivers regardless of the size of their company or the volume of their mail traffic should be using DKIM capable software, at least for verifying signatures that are within incoming mail. That to me is a universal.” Hathcock also notes that all senders, not just the high-volume ones traditionally thought of as the benefactors of authentication, should be signing their mail. “Every company has a vested interest in protecting their brand and their brand is their domain name,” he says.

Michael Adkins, AOL senior systems programmer and co-chair of the MAAWG technical committee and editor of the recently published whitepaper MAAWG Message Sender Reputation Concepts and Common Practices says, “Lower volume domains face all sorts of delivery challenges under the current IP address-based reputation systems. They might be sharing an IP address with several other domains and one ‘bad neighbor’ might cause delivery issues for all of them. Their provider might move them from one IP address to another, causing them to lose any good reputation they had built up. Even worse, they might be moved to an IP address that used to belong to a spammer and have to deal with the leftover delivery issues.” Adkins explains that what DKIM provides to small businesses, universities, churches, and community organizations is a consistent online identity. “That identity will be clear and distinct to other mailbox providers automatically, regardless of any infrastructure changes and challenges the signing domain has to endure. That is really the strength of a standard sender authentication mechanism. All the smaller domains that previously had no way within their means to ensure they got the delivery they deserved will have a simple way to stand out and be rewarded for their good behavior.”

Adoption Barriers

Regardless of benefits, DKIM adoption has been slow for a variety of reasons. “I think the current barrier to DKIM adoption is a lack of clear immediate benefit to the signer,” states Adkins. “Folks on the mailbox provider and assessment side are working toward using DKIM, but it’s all still very experimental and there is a limited amount of data about signed mail to work with. As a result, there isn’t clear guidance to signers regarding what their signing policies should be in order to gain any benefits. It’s sort of a ‘chicken and egg’ situation. The good news is that we are making progress both at the IETF level and in industry groups like MAAWG. MAAWG previously released a paper on sender authentication, now one on sender reputation, and the next topic in the series will be authenticated sender reputation.”

Hathcock believes that one key to increasing adoption is receivers. “As more receivers adopt—more of the senders will get on board too. It is happening, it is just that some pieces are still being worked on. I do not think everyone has the full appreciation of the importance yet—but once done, I think they will.” One such piece is ADSP (Author Domain Signing Practices). According to Hathcock, ADSP is a mechanism that allows a receiver of a message to determine whether or not a signature should be there. “For example, I get a message from Yahoo.com and there is no signature,” explains Hathcock. “The receiver can ask Yahoo.com: ‘Hey, I just got a message from you and it was not signed. Yahoo.com can reply: ‘You decide if it is ok, but I will tell you this: I sign everything I send.’ ADSP is a way of empowering the receiver with the ability to make a judgment call on whether a message is forged. This is the next natural evolution of where we are trying to go. And this has been worked on by the IETF working group and it is now in last call. I am convinced that when it comes out in its final form, it will have the certainty that implementers within companies are expecting to have and they will start to act on it, just as they did with the DKIM spec—we got a lot more adoption and embrace, once it actually got the ‘done’ stamp.”

Michael O’Reirdan, MAAWG Chairman agrees, “Whilst there is widespread acceptance of SPF/SenderID and DKIM, it is not a silver bullet and forms only a part of the toolkit in the battle against spam. You will see further adoption of DKIM, but it will need additional work at the IETF on complementary standards such as ADSP, which gives meaning and the intent of the signer to the signature or signatures which are attached to the mail with DKIM.”

Beyond IP-Based Reputation

Hathcock notes that he would like to see a shift away from IP-based reputation assessment—like DNS Blacklist (DNSBL)—to domain-based reputation assessment. “I want to see the death of IP-based, once the domain-based is good enough,” he says. “The reason is domains are portable—that is who you are—you are not your IP-address. IPs can change for a variety of reasons, but your domain is you. And you are not going to change that. It is a better model—if we can get to it.” Hathcock sees two possibilities, either some organization like Spamhaus (who tracks IP addresses and posts the most widely-used DNSBL) volunteers, or the more likely option: a for-profit reputation business takes the lead.

One such company is Ingenious Systems Research. “We have had domain-based reputation since 2004, but have never used it externally,” reveals Steven V. Jackson, co-founder and systems engineer. “We use it internally as a quality of service measuring tool to monitor and evaluate our determinations to make sure they are staying accurate.” Jackson acknowledges that most agree that having domain-based reputation would be great. “The direction we plan to go is to put that data out there and give people that smoking gun to aim directly at their email traffic and use as a real front-end filtering mechanism.” The time appears to have come, as Jackson says, “Our big turning point was realizing that we belong in reputation services. What we see in reputation right now is mostly to do with IP-based reputation services. It asks where did the traffic come from? Some of it includes user input. To me, user reporting is the least reliable way to categorize email. We are part of an AOL feedback loop program, so I get thousands of reports from AOL every single week with feedback of sales receipts, membership confirmations—real email about actual user actions, things that are beyond reproach that is being marked as spam by users.”

In Hathcock’s vision, the for-profit may not work. “It is a different business model from the receivers point of view, it needs to be free to query the database. They can impose whatever business requirements they want on senders, but it has to be free for receivers.” Hathcock also notes a proof of concept being done by dkim-reputation.org, a grassroots effort of DKIM domain-based reputation service trying to show what might be possible. “It is not extensive enough to solely rely on right now, and they are limiting their scope on purpose, but it is interesting and it shows a first step.”

Jackson understands the timing and the potential; “We would like to make domain-based reputation information available to everyone. It is not just about making money. We are interested in the ‘do the world a favor aspect’ of this. We have been at it for a long time ourselves. While we are ready to make some money at it, the flip side is that we have been beaten over the head by our own struggles in this arena. We have been in charge of the tech support departments that had to take the complaints; we have run the mail servers that were washed over by these tremendous worm attacks; we have fought this battle from the trenches for so long, that we would like to plant a flag and declare triumph and call it over.”

The immediate plan for Ingenious Systems Research is to start with cable companies, but the company is open to other opportunities. “The greatest thing would be if a benevolent organization would come along and buy the whole thing and open-source it,” says Jackson. “I think if we ever got in the position to be able to do that we would open source it ourselves, just so that everyone could have it.”

In the meantime, Falk continues to encourage adoption of DKIM by all organizations, regardless of size. “If you’re a sender of email and you care about your brand identity, or about the safety of your recipients, then you’ll want to authenticate so that the recipients can be certain the mail is from you. Without authentication, it’s much more difficult for anyone—especially end-users—to tell whether the mail is really from you, or from a scammer pretending to be you. We’ve seen scammers and phishers pretending to be tiny local credit unions almost as often as we’ve seen them pretending to be the big banks. Nobody is immune.”