Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Dump Hijacked ISPs That Don't Patch | Main | Beating Anti-Phishing Filters »

Anti-spam Specification from IETF

Implicit trust is a problem with a number of Internet protocols. By exploiting that trust, spammers and phishers have had their way with spoofed emails. The pending adoption of DomainKey Identified Mail looks more likely with the Internet Engineering Task Force's specification release yesterday.

This raises the bar on spammers and phishers who have had it easy because we currently identify message senders by IP addresses. Getting your hands on someone's private key and creating a valid digital signature is a lot more challenging than spoofing an IP address.

Adoption won't be impeded by dependence on new protocols. As New Antiphishing, Antispam Specifications Unveiled points out:

The DomainKeys project was particularly innovative because it specified the use of domain names rather than IP addresses to authenticate senders, Crocker said. DomainKeys also used the existing Domain Name System (DNS) to transmit the public keys needed for encryption, rather than adding yet another infrastructure layer.

This may be the case where a relatively small change can have a big impact. Of course, spammers and phishers will adapt. Perhaps they'll find ways to compromise white lists so spam will be accepted as legitimate or some other way to break the system. That kind of back and forth of attack-countermeasure-new attack is a constant in security.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on May 24, 2007 7:24 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/313

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net