— Then, Now, and Later Eric Allman Thom O’Connor Sendmail, Inc.

A (Very) Brief History of springs from the ArpaNET as an afterthought — special form of file transfer Slow networks, low volume, limited audience (academic and research) Quickly became a “killer app” 1984: Internet appears, still limited audience April 30, 1995: The rules change — Internet is privatized; net becomes available to anyone with money for any purpose Some privately held backbones prior to this, but limited commercial use because of government rules becomes a critical part of the business infrastructure

Where Are We Right Now? Good (but could be better): timely, anywhere access, reasonable marginal cost, ability to file and store, searchable (sort of), can auto-handle, elements of privacy and reliability Not so good: spam and viruses are here to stay  When there’s money to be made, people will figure out how to make money  Think of spam as roaches: you can keep them under control but not eliminate them (Dave Crocker) Commercial entities want to use to supplant physical mail: bills, statements, ads, trade acknowledgements, etc. Traffic load keeps going up — this isn’t going to change even when we fix the spam problem

Pressures Placed on Today Summary: better control and access, more secure, reliable, and flexible Message filtering and filing capabilities on the server brought down to the end-user level (better control) Integration of wireless access with traditional methods of access (better access) Synchronization of data regardless of access method (more flexible) Message validity and classification (more secure, more reliable)

Better Control Message filtering and filing capabilities: First came anti-virus, content filtering, and anti-spam basics on a site-wide level Soon after, it was “Classes of Service”, with different groups of users with different needs Now it’s complete per-user control  SIEVE filtering and fileinto (RFC 3028)  SMS notification and forwarding  User-based classifications of what is valid and not valid (spam) Need to push per-user controls out to the perimeter

Better Access Everything going wireless and everyone going mobile (obvious) Security (and privacy) of information is a major challenge The basic protocols exist to provide the access, but not easily assembled — HTTP/HTTPS, IMAP/IMAPS, WAP, iMODE, RSS, WebDAV, and a mix of proprietary protocols (e.g., Blackberry) Users want all functions on all devices

More Secure Everyone talks the security talk, but not enough walk the security walk Some ISPs block or redirect outgoing port 25 Challenges: interoperability (PKI, certificate management), MUA (client) implementation differences, ease of use, corporate enforcement policy Being driven by legal and policy issues:  SEC, HIPPA, Sarbanes-Oxley Continued slow growth of STARTTLS and SMTPS, IMAPS, POPS, Public Key encryption (PGP & S/MIME), HTTPS Still need a trigger to kick-start wider usage of encryption in

More Reliable The clear need for authentication Sender domain authentication is the necessary precursor to the next big thing in Authentication introduces accountability, message identification, and prioritization Service providers will need to have their users authenticate before submitting mail (RFC 2476) [transitive accountability] The best authentication is one based on proven security techniques such as SMTP AUTH (RFC 2554)

What You Should Think About When Designing an System Today Scaling for the present and the future Regulatory compliance Reliability appropriate for your needs  E.g., redundancy if necessary (but expensive) Resilience against Denial of Service attacks Flexibility to do what you need Don’t get caught up in a single litmus test People are more expensive than silicon: move work from people to computers wherever possible

Predictions about the Future (2–3 years) Obvious:  Volume will continue to go up for quite some time  Spam will be better addressed, albeit not fixed Companies will separate their mail based on class and outsource a lot of it  Bill presentment, advertisements, newsletters, etc.  Personal exchange with customers, partners, and colleagues will be treated separately and differently Legal landscape will change: e-information will be held to stricter standards than paper Mail will move toward IM but not fully merge SMTP will morph, but there will be no serious contender for replacement

Spam Predictions (Next 2–3 Years) ePostage won’t succeed for several years:  User resistance  Vendor bickering  Pragmatic problems Authentication techniques will help dramatically, but will not solve the problem by themselves  Fraud will be directly addressed and reduced  Spammers will adapt to the extent they can, but they will be more exposed Accreditation/Reputation systems will gain a foothold, but not globally; value will be debatable Most pure content-filtering techniques will stumble because they just can’t keep up

Problems Without (Current) Solutions Enforcing encryption by the message recipient (“I don’t want to accept unencrypted mail from Travelocity”) Automated outgoing encryption (per domain and/or per recipient) [available on a limited basis] Better PKI — DNS use for key distribution may not scale well, especially to larger keys MUA support for new functionality — e.g., display authentication status [Microsoft is doing some]

Conclusions is not dead, far from it: expect more, much more — but don’t ignore serious challenges SMTP is not dead, but it will change to meet the demands (e.g., SUBMITTER extension) Authentication will be a major and important change, but won’t immediately do as much as we would like Spam will be dealt with, albeit not without cost to both legitimate senders and receivers  “Dealt with” doesn’t mean annihilation, just reducing it to a dull roar

Questions?