SMTPi authenticates e-mail senders

By Ambika Gadre
Network World, 04/19/04

A deluge of spam, crippling viruses and e-mail forgeries such as "phishing" schemes is threatening the value of electronic messaging as a critical communications tool. The root cause of these problems is the inherent anonymity of the e-mail standard Simple Mail Transfer Protocol.
Because the protocol was designed 20 years ago, when spam was still only a canned meat and viruses only infected humans, it is all too easy for an illicit sender to deliver unsolicited or hostile mail under the guise of being legitimate. 
SMTPi is an initiative for a next-generation e-mail infrastructure. It has a three-part framework that includes the essential components - identity, reputation and policy - of a new, secure messaging system built on top of SMTP. The "i" stands for identity. Migrating to an identity and reputation-based mail system will enforce sender accountability and eliminate many challenges with e-mail. 
Identity

Accurately establishing a sender's identity lets e-mail recipients make confident decisions about how to treat incoming mail based on a sender's reputation. By doing so, it would make it easier to leave spam out of the recipient's in-box. 
Building a universal identity mechanism for e-mail is a major undertaking and will be done in phases.
Initial server-level identity mechanisms rely on a sender's IP address. An IP address is verifiable and manageable, and is nearly impossible to forge because it is established via TCP/IP connection. If the IP address is altered, two-way SMTP conversation would not take place because the return packets required to continue the SMTP conversation could not be routed to the actual sending IP address. 
Over the next few years, domain-level identity will be deployed using standards such as Sender Policy Framework, Caller-ID and DomainKeys, but each of these approaches has trade-offs. 
The best solution, yet the least-developed, is the use of cryptographic headers that would let users identify themselves at multiple levels - as individuals, organizations and corporations. 
Reputation

A sender's reputation can be tracked by monitoring his mailing history. A sender reputation service tracks a range of measurable parameters such as volume of mail sent globally, complaints, country of origin, presence of an open proxy or relay, proper DNS configuration and other related data. These parameters are used to assess a sender's reputation. 
Unlike blacklists, which are in effect a first-generation reputation services, the current crop of second-generation reputation services such as SenderBase provide detailed data (a reputation score ranging from minus-10 to plus-10) that lets recipients choose their own policies and thresholds. SenderBase is an open service that system administrators and open source spam filters can access at no charge. 
Policy

After authenticating an e-mail sender and establishing his reputation, e-mail receivers need a way to apply appropriate mail policies based on that knowledge. 
Today, most mail gateways process all incoming mail through spam filters. This method increases infrastructure costs and reduces the effectiveness of catching spam. 
An effective mail policy solution supports variable response that's based on the quality and trustworthiness of the mail source. Mail from known good senders can be routed around spam filters, mail from known bad senders can be deleted, and mail from suspicious senders can be throttled and sent through highly sensitive spam filters. 
As SMTPi continues to propagate, receivers of e-mail will apply stricter limits on mail originating from a source that does not have an identity and a reputation. This migration toward an identity- and reputation-based e-mail system will make e-mail safer and more reliable.