Authentication & Reputation – Adding Business Value in The Real WorldAuthentication & Reputation – Adding Business Value in The Real World

Agenda

1. Introductions & Agenda Review

2. The Big Picture

3. IP-based Blocklists and Reputation

4. Domain-based Authentication & Reputation

5. The Future

6. Q&A

Introductions

• Patrick Peterson, Vice President Technology, IronPort Systems

• Alberto Mujica, President and CEO, Reputation Technologies, Inc

• Barry Abel, VP of Field Operations, Message Systems

• Bill McInnis, Director, Message Level

REPUTATION

CERTIFICATION

The Big Picture

1

4

Who do you claim to be?

Validate Identity

Risk of badness/probability of goodness based on historical factors

Third-party affirmation

Make decision, take action

IDENTITY

ACTION

2AUTHENTICATION

3

Identity

• Patrick Richard Peterson– Allow onto airplane?– Allow into USA?– Owner of house on Whitney Street, San

Francisco, CA?

• IronPort Systems– Credit worthy?

• www.cisco.com– Authorized resellers?

Authentication (of Identity)

• Handshake• Photograph• Chip• Fingerprint• Signature, Notary• Retina scan

Consumer Credit Reputation

Three Credit Bureaus sell credit reports

Fair Isaac provides underlying technology“Fair Isaac Corporation (NYSE: FIC) is the leading provider of decision management solutions powered by advanced analytics. … Today, the company’s solutions, software and consulting services power more than 180 billion smarter business decisions each year for companies worldwide.”

Business Credit Reputation

D&B (NYSE:DNB) is the world’s leading source of commercial information and insight on businesses, enabling companies to Decide with Confidence® for over 165 years.

Certification

• Third-party that certifies (accredits) that an entity complies with certain standards or practices

Facts aboutIP Based Authentication

Not really authentication, better referred to as identification

Difficult or impossible to spoof

IP based identification runs into limitations when

Senders are on shared email servers(Like giving a license to a car and not a person)

Behind proxies

Senders would like to send different kinds of messages from the same IP

RBLs provide Good/Bad responses, not a range of responses

Current Situation withIP Based Authentication

DKIM and/or SPF authentication are prerequisites for domain based authentication and therefore reputation

Once either SPF and/or DKIM are widely adoptedreputation can be based on domain names

Email reputation providers like ReturnPath, Habeas and Reputation Technologies require static IP addresses

Because SPF and DKIM are not yet over the tipping point email reputation providers like ReturnPath, Habeas and Reputation Technologies have to use IP identification instead of domain authentication

Fast> Flexible> Focused>

Barry Abel, Message SystemsVP Field Operations

13Fast > Flexible > Focused

Authenticating Domains

SenderID and DKIM

Both work to verify that every e-mail message originates from the Internet domain from which it claims to have been sent.

14Fast > Flexible > Focused

SenderID

15Fast > Flexible > Focused

DKIM

16Fast > Flexible > Focused

Current Status of DKIM & Sender ID

DKIM The Internet Engineering Task Force (IETF) made DKIM a

standard in May 2007 Already in wide use

Sender ID* Every day, 20 million forged messages are detected by Sender

ID-enabled domains. Reputable marketers that have adopted Sender ID have realized

improved deliverability, with up to 85 percent fewer messages mistakenly marked as spam in Windows Live Hotmail.

With spam increasing 40 percent in the past 12 months, spam in Hotmail users’ inboxes has actually been reduced by 50 percent; Sender ID contributed 8 percent of that reduction.

*Microsoft news release dated 5/18/07

Bill McInnisDirector, Message Level

DO SOMETHING!!!

Strongly worded suggestions being offered by Associations for members to implement SPF and DKIM

DMA, BITS, ESPC Example: BITS is recommending TLS, SPF, SIDF and DKIM

within 18 months

Associations can talk 10x faster than their constituents can move

Many ISPs are committed to using authentication to evaluate email

Hotmail Yahoo/Gmail

SPF and DKIM pros

SPF Allows companies to identify mail servers where

mail is authorized to come from Relatively easy for senders to support Many ISPs utilize SPF as a factor in email

deliveryDKIM More heavyweight solution Allows a company to cryptographically sign an

email Allows ISP’s to identify signatures and

associated messages that compute correctly and handle those messages different

SPF and DKIM Cons

SPF Breaks some current use cases of email – Forwarding,

etc Senders don’t know what receivers are doing, if

anything Doesn’t not protect anything the end users sees – 2821

address (xyz.com) 2822 address (chase.com) – Does this make SPF worth much of anything?

DKIM Doesn’t break forwarding - No reliable replay protection

– Potential for signature breakage Cannot reliable detect bad messages No data for senders Many traditional problems associated with PKI key

propagation and changes

Authentication Alone Createsa False Sense of Security

Delivered-To: xxxxxx@gmail.comReceived: by 10.67.65.8 with SMTP id s8cs550968ugk;

Tue, 8 May 2007 10:05:35 -0700 (PDT)Received: by 10.90.105.19 with SMTP id d19mr6545698agc.1178643934853;

Tue, 08 May 2007 10:05:34 -0700 (PDT)Return-Path: administrator@bankofamerica.clReceived: from mail03.bankofamerica.cl (mail03.bankofamerica.cl [200.75.25.175])

by mx.google.com with ESMTP id 14si2200432wrl.2007.05.08.10.05.33;Tue, 08 May 2007 10:05:34 -0700 (PDT)

Received-SPF: pass (google.com: domain of administrator@bankofamerica.cl designates 200.75.25.175 as permitted sender)From: "Bank of America" administrator@bankofamerica.clTo: xxxxxx@gmail.comSubject: Reactivate your Account