DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.

Slides:

Advertisements

Similar presentations

Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~

Advertisements

Proposal for a Pilot Project: Using DKIM to Create a Trust Channel Dave Crocker Brandenburg InternetWorking bbiw.net Dave Crocker Brandenburg InternetWorking.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.

Protocols and Troubleshooting Brandon Checketts.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

D. CrockerIntroduction to BATV 1 MIPA Bounce Address Tag Validation (BATV) “Was use of the bounce address authorized?” D. Crocker Brandenburg InternetWorking.

DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis

© UPU 2014 – All rights reserved Mitigating online risk for postal e-services.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

System Aspects of Spam Control Architecture and Operations Issues IBM Academy 6 Apr 2005 Dave Crocker Brandenburg InternetWorking IBM.

1 Dr. David MacQuigg Research Associate Autonomic Computing Laboratory Autonomic Trust System – Verify Identity and Assess Reputation University of Arizona.

1 Dr. David MacQuigg Research Associate Autonomic Computing Laboratory System – The most important application of computer networks University of.

Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

1 Dr. David MacQuigg, President Open-mail.org Registry of Public Senders™ –A Secure DNS Database University of Arizona ECE 596c – Cyber Security.

Sender policy framework. Note: is a good reference source for SPFhttp://

© Copyright MX Logic, Inc. All rights reserved. 1 Strictly Confidential MX LOGIC CORPORATE OVERVIEW MARCH 2005.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

DomainKeys Identified Mail (DKIM) D. Crocker ~ bbiw.net dkim.org  Consortium spec Derived from Yahoo DomainKeys and Cisco Identified Internet Mail  IETF.

DomainKeys Identified Mail (DKIM) D. Crocker Brandenburg InternetWorking mipassoc.org/mass  Derived from Yahoo DomainKeys and Cisco.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

Identity Based Sender Authentication for Spam Mitigation Sufian Hameed (FAST-NUCES) Tobias Kloht (University of Goetingen) Xiaoming Fu (University.

Electronic mail – protocol evolution. standards.

Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:

Taking Common Action Against Spam Internet Society of China Beijing – 2004 Dave Crocker Brandenburg InternetWorking

IETF 66 EAI WG Testing Report TWNIC

Webmail. Agenda Why use webmail? Why use webmail? What is webmail What is webmail – basic » system MDA MDA MTA MTA MUA MUA »Protocol SMTP SMTP.

Authentications INBOX Authentication Panel San Jose, CA – 2004 Dave Crocker Brandenburg InternetWorking INBOX Authentication Panel San Jose, CA –

Certified Server Validation (CSV) “ An MTA is talking to me directly. Are they OK?” D. Crocker Brandenburg InternetWorking mipassoc.org/csv 10/8/2015 6:36.

A Trust Overlay for Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.

MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.

Bounce Address Tag Validation (BATV) D. Crocker IETF J. Levine San Diego Sam Silberman 2004 Tony Finch MASS BOF D. Crocker IETF J. Levine San Diego Sam.

1 Dr. David MacQuigg, President Open-mail.org Stopping Abuse – An Engineer’s Perspective University of Arizona ECE 596c August 2006.

1 Electronic Messaging Module - Electronic Messaging ♦ Overview Electronic messaging helps you exchange messages with other computer users anywhere in.

Technology Considerations for Spam Control 3 rd AP Net Abuse Workshop Busan Dave Crocker Brandenburg InternetWorking

SPF/Sender-ID DNS & DDoS Threats Operations Analysis and Research Center for the Internet Douglas Otis November 3, 2007

Data Communications and Networks Chapter 5 – Network Services DNS, DHCP, FTP and SMTP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.

A Retrospective on Future Anti-Spam Standards Internet Society of China Beijing – September, 2004 Dave Crocker Brandenburg InternetWorking

Deliverability Making it to the inbox

SPF/Sender-ID DNS & DDoS Threats Internet Security Operations and Intelligence II Douglas Otis

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.

RUCUS - IETF 71 1 Lessons Learned From IETF Antispam Work Jim Fenton.

XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 2 1 Evaluating an Program and a Web-Based Service Basic Communication.

The Success Failure INBOX Accountability Panel San Jose, CA – 2004 Dave Crocker Brandenburg InternetWorking INBOX Accountability Panel San Jose,

SMTP Tapu Ahmed Jeremy Nunn. Basics Responsible for electronic mail delivery. Responsible for electronic mail delivery. Simple ASCII protocol that runs.

Sender policy framework. Note: is a good reference source for SPFhttp://

X-ASVP Technical Overview eXtensible Anti-spam Verification Protocol X-ASVP Committee Technical Working Group July 22, 2007.

Discussion of OCP/SMTP profile and some Use cases Presented by Abbie Barbir

Draft-lemonade-imap-submit-00.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Network Applications: DNS Y. Richard Yang 2/1/2016.

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Application Layer instructors at St. Clair College in Windsor, Ontario for their slides. Special thanks to instructors at St. Clair College in Windsor,

© MMII JW RyderCS 428 Computer Networks1 Electronic Mail  822, SMTP, MIME, POP  Most widely used application service  Sometimes only way a person ever.

Understand Protection LESSON Security Fundamentals.

IETF 66 EAI WG Testing Report

draft-lemonade-imap-submit-01.txt “Forward without Download”

Misc. Security Items.

By Ian Foster, Jon Larson, Max Masich, Alex C

Unit – 4 Chap - 2 Mail Delivery System

Chapter 7 Network Applications

 Zone in name space  DNS IN THE INTERNET  Generic domains :There are fourteen generic domains, each specifying an organization type.

Slides Credit: Sogand Sadrhaghighi

Presentation transcript:

DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking

2 2 D. Crocker DNS-based Authentication Techniques What we will cover…  Ein kleine background  Evaluating anti-spam proposals:  Authentication proposals  Content vs. Operations  Permit Ops Admin to enforce accountability  Strengths and weaknesses  Current status  Ein kleine background  Evaluating anti-spam proposals:  Authentication proposals  Content vs. Operations  Permit Ops Admin to enforce accountability  Strengths and weaknesses  Current status

3 3 D. Crocker DNS-based Authentication Techniques Setting the Context © 1975(!) Datamation This? Oh, this is the display for my electronic junk mail.

4 4 D. Crocker DNS-based Authentication Techniques has Become Complicated… Mail Handling Service (MHS) MTA MSA MTA MDA MDA MTA MDA MTA MTA MDAMSA MTA Mediator MUA MUA MUA MUA MUA MUA Bounce MUA: User Agent Mediator: User- level Relay MHS: Mail Handling (transit) Service MSA: Submission MTA: Transfer MDA: Delivery Bounce: Returns

5 5 D. Crocker DNS-based Authentication Techniques More Than One “Sender” MTAMTAMTAMTA MUA MDAMSAMDA Mailing List  MTA IP  rfc2821.HELO  Provider Network IP  rfc2822.Sender  rfc2822.From  rfc2821.MailFrom (Bounce/Return-Path, set by rfc2822.Sender)  rfc2821.Received  rfc2822.Sender MSA MTA Bounce

6 6 D. Crocker DNS-based Authentication Techniques Trust Boundaries AE 1 AE 5 AE 3 AE 2 AE 6 AE 4 AE 7 MUAMUA MUA MTA MSA MTA MDA Mediator MDAMSA MTA MUA MTA1 MDA AE: Administrative Environment

7 7 D. Crocker DNS-based Authentication Techniques Content analysis (eg, Bayesian) vs. Accountability, composed of: Content analysis (eg, Bayesian) vs. Accountability, composed of: AccountabilityAccountability Identity Who does this purport to be? (IP Address or Domain Name) Authentication Is it really them? Authorization What are they allowed to do?Assessment What do I think of the agency giving them that permission? (e.g., Reputation or Accreditation)

8 8 D. Crocker DNS-based Authentication Techniques Address Registration Schemes NameIDDNS RRPurpose Sender Policy Framework ( SPF ) schlitt-spf-classic  rfc2821.MailFrom  rfc2821.Helo SPF or TXT V=spf1 Register client MTA with MailFrom domain. “Owners authorize hosts to use their domain name in the MAIL FROM or HELO “ Sender-ID ( SID ) lyon-senderid-core  rfc2822.Sender  rfc2821.MailFrom SPF or TXT v=spf1, v=spf2 Register client MTA with Sender domain. “Does SMTP client have permission from referenced mailbox?” Certified Server Validation (CSV) mipassoc.org/csv  rfc2821.HeloA Register client MTA domain of ops. “Permits SMTP server to decide whether SMTP client is likely to produce well-behaved traffic”

9 9 D. Crocker DNS-based Authentication Techniques Signature-based Schemes NameIDDNS RRPurpose Domain Keys Identified Mail (DKIM) Mipassoc.org/dkim Independent (!) (usually tied to rfc2821.Sender) TXT Sign message+headers. “Domain owners may authorize hosts to use their domain name in the MAIL FROM or HELO “ Bounce Address Tag Validation (BATV) Mipassoc.org/batv Rfc2821.MailFromNone required Sign MailFrom “Defines an extensible mechanism for validating the MailFrom address”

10 D. Crocker DNS-based Authentication Techniques Strengths and Weaknesses SchemeStrengthsWeaknesses SPF  No client-side software  Limits transit sources, paths  Admin & DNS query overhead  RR complexity SID  No client-side software  Mostly same as SPF  IPR (Microsoft) CSV  Simple, direct, complete  No traction DKIM  Not sensitive to path, source  Software changes  Signature fragility BATV  Does not require interoperability  No traction  Some MLs break

11 D. Crocker DNS-based Authentication Techniques IETF Status SPF: SPF: WG dead due to lack of rough consensus; “Experimental” status stalled on appeal, due to RR version conflict with SID SID: SID: Same as SPF CSV: CSV: Stalled DKIM: DKIM: WG forming; delayed for “threat analysis” BATV: BATV: Stalled SPF: SPF: WG dead due to lack of rough consensus; “Experimental” status stalled on appeal, due to RR version conflict with SID SID: SID: Same as SPF CSV: CSV: Stalled DKIM: DKIM: WG forming; delayed for “threat analysis” BATV: BATV: Stalled