English
Deutsch
Español
Français
Português/Brasil
Italiano
May
11
How to Steal Reputation
Much as the term “pre-header” is now locked into email marketing parlance even though what it describes is neither pre- nor header, the term “reputation hijacking” continues to spread through the anti-spam community and the press.
“Reputation hijacking” is intended to describe when a spammer or other bad actor uses someone else’s system — usually one of the large webmail providers — to send their spam. The idea is that in doing so, they’re hijacking the reputation of the webmail provider’s IPs instead of risking the reputation of IPs under their own control. But I really have to laugh (though mostly out of sadness) whenever this technique is described as something new.
The first spam I dealt with, way back in the mid-nineties, was sent by a user on a shell server. So was nearly all of the other spam of that era. Some was sent via Compuserve, AOL, Prodigy, etc., but it was all from what today we’d call an individual end user’s email account.
Then some of the spammers realized they could get dedicated servers — and that worked for a while. …
Categories: Commentary View Comments
Mar
24
Searching for Truth in DKIM: Part 5 of 5
Throughout this series of articles we’ve been talking about DKIM, and what a valid DKIM signature actually means.
Part 1 explained that the DKIM “d=” value identifies the domain name which signed the message, which may be different from the author of the message. Part 2 described how the author domain can gain some control over whether any other domain name should ever sign a message purporting to be From: that author domain. Part 3 discussed how the reputation of a d= domain leads to a reliable determination of trustworthiness, while part 4 reminded us that truth cannot be assumed until trust is certain.
What this means for senders (of any type) is that …
Categories: Explanation View Comments
Mar
23
Searching for Truth in DKIM: Part 4 of 5
Once you’ve determined that you can trust the signer of a message, as we discussed in part 3, it’s easy to extrapolate that various portions of the message are equally trustworthy. For example, when there’s a valid DKIM signature, we might assume that the From: header isn’t spoofed. But in reality, DKIM only tells us two basic things:
- Does the message have a valid signature? (yes or no)
- Which identifier signed the message? (the d= domain)
DKIM uses a cryptographic signature based on a hash of the message, so if the signature is valid, we also know that the message wasn’t changed in any way between the time it was signed and the time the signature was verified. What we don’t know, and can’t know, is what happened — intentionally or unintentionally — before it was signed.
For example, I could write a message where I claim to be Joshua Norton, Emperor of these United States and Protector of Mexico. It’ll be signed when I send it to you. But DKIM doesn’t tell you if it’s true …
Categories: Explanation View Comments
Mar
17
Searching for Truth in DKIM: Part 3 of 5
Last year, MAAWG published a white paper titled Trust in Email Begins with Authentication, which explains that authentication (DKIM) is “[a] safe means of identifying a participant-such as an author or an operator of an email service” while reputation is a “means of assessing their trustworthiness.”
Regular readers of this blog already know that reputation systems based on IP addresses, including our Sender Score, are used by many ISPs and anti-spam vendors to determine which mail to accept, which to reject, and which to subject to additional filtering before making a delivery decision. There, the identifier is the IP address.
The reason this sort of reputation works for delivery decisions is that it’s an attempt to measure whether the sender of a message can be trusted to send mail that the recipients want — or, more accurately, whether the IP address of a message can be trusted to send mail that the recipients won’t complain about. We also mix in the concept of safety, largely in the form of how likely it is that the IP address is sending phishing scams or similar bad stuff. …
Categories: Explanation View Comments
Mar
12
Searching for Truth in DKIM: Part 2 of 5
In part 1, we explained that the DKIM “d=” value identifies the domain name which signed the message, which may be a different domain name from the author of the message.
Tying the signing and author domains together requires an additional standard: Author Domain Signing Practices (ADSP). In IETF parlance, the “author domain” is the domain name in the From: header, so ADSP is a way for the author domain to publish a statement specifying whether any other domain name should ever sign a message purporting to be From: that author domain….
Categories: Explanation View Comments
Mar
9
Searching for Truth in DKIM: Part 1 of 5
DomainKeys Identified Mail (DKIM) is the leading email authentication technology, supported by major ISPs including Google, AOL, and Yahoo! (who invented its predecessor), popular mail server software like Sendmail, and many of the best minds in email technology. But if you peruse the archives of the IETF DKIM mailing list, or start up a conversation at MAAWG, it might appear that there’s still a lot of disagreement about what a DKIM signature actually means.
Often, anyone attempting to describe authentication turns to analogies: a driver’s license, or a license plate on a car, or a passport — all saying that you are who you say you are, but not (by themselves) proving that you’re trustworthy. The trust measurement is external to DKIM: a reputation score, or third-party certification status.
But what, exactly, is being trusted? What’s being measured? …
Categories: Explanation View Comments
Jan
27
Yahoo! Deja Vu
I worked as an anti-spam product manager at Yahoo! for a few years, and (among other things) designed their Complaint Feedback Loop — both the initial long-running “beta” implementation, and many improvements which (for various reasons) never made it past the design phase. Then when it came time to try my hand at something else, I moved to Return Path and immediately became involved in designing the Yahoo! Complaint Feedback Loop signup interface we announced last week, in partnership with my old friends and colleagues in Sunnyvale.
I must admit to feeling some trepidation when I found myself working on this same product once again. Albert Einstein is said to have defined insanity as “doing the same thing over and over again and expecting different results” — and that’s exactly what I was doing. I’d been involved in creating the Hotmail Junk Mail Reporting system — their complaint feedback loop — around 2003, and worked on a handful of others more recently here at Return Path. Frankly, for me, complaint feedback loops — from the ISP side — are very old hat.
What’s kept me relatively sane is that each time, there’s something different. We had a lot of fun talking over the ramifications of Yahoo!’s choice to route complaints based on authenticated domain rather than the last-hop IP address like most. This time, most of the industry has a better sense of how DK and DKIM work, so the questions you’ve been asking are different.
Without a doubt, the most common question thus far has been: what happens if you’d previously subscribed to Yahoo!’s “old” feedback loop? Easy: that’ll continue to work…
Categories: Commentary View Comments
Dec
6
The (Possible) Future of International Spam Laws
After more than a decade of fits and starts, fear and doubt, lies and lobbying, legislative attention towards spam now seems to arrive in regular waves. Our friend Dennis Dayman reports on deliverability.com that a new law has taken effect in Israel, requiring (in short) opt-in — and so according to the International Herald Tribune, Israeli marketers were rushing to re-confirm questionable subscriptions before the deadline this past Monday. In Canada, Internet law expert Michael Geist lambasted his government for continuing to fail to pass any anti-spam legislation, four years after he and the National Task Force on Spam — which also included our own Neil Schwartzman — strongly urged them to take immediate action. And this week at the Internet Governance Forum in Hyderabad, I’ve heard representatives from more than a dozen governments from all over the world discussing not whether “cyber crime” legislation is necessary, but rather how it should be formulated to fit their local legal standards and culture.
Even in the United States, with both foes and supporters of the incoming administration waiting to learn what President Obama and his staff will do, there are clear signs that …
Categories: Commentary View Comments
Nov
26
Clearly Chimps Understand Email Marketing
Over the past 35 years, scientific research has found that human beings and chimpanzees share approximately 94% of our DNA, the basic structures that define how we grow and evolve. This study caused a bit of a shock when it was released: our collective belief that we’re vastly different from and superior to our hairier, dumber cousins was shaken.
But some research is less surprising, nearly as evident to we thinking beings as the use of tools. Earlier this week, our supremely intelligent partners Mail Chimp published the results of a study showing that mailing to an old or inactive list leads inexorably to complaints, unknown users, spamtraps — all the ingredients of the kind of deliverability problem that’ll cause the monkey in the mirror to jump up and down angrily. …
Categories: Commentary View Comments
Nov
19
AOL’s Plans for Domain Reputation
With every new technology, there are a few people who fully grok not only where it stands now, but where it’s going — who will be using it, and how. In our case, these are people whose thinking about reputation is so far ahead of the rest of the industry that if we would have had them as speakers at our IN conference a few weeks ago, and they revealed their visions of the future, everyone’s heads would have exploded!
One of these is my friend Mike Adkins, who works on authentication and reputation for AOL. AOL has always been a leader in the industry, and Mike and I — along with Dave Crocker, and other smart folks — have been talking about the inevitable and much-needed intersection of authentication and reputation at MAAWG for the past few years. One of the recurring difficulties with this or any complex new technology is that it’s new: there are no existing “best practices” and everyone is worried about making the first mistakes. Mike’s fed up with this — as are we all — and he has decided to put a sharp wooden stake into the heart of the problem. Recently, he’s been talking very candidly with the industry about AOL’s future plans. The plans may change, he says, but this is their starting point — and anyone who wants to continue sending mail to AOL’s subscribers, or to understand the direction the rest of the industry is likely to take, needs to pay attention.
I tend to get overly wordy and perhaps somewhat theoretical when talking about this topic, so Return Path’s marketing team has condensed what we understand of AOL’s plan into a few simple bullet points …
Categories: Explanation News View Comments