Simple Email System with Four Actors
|--- Sender's Network ---| |-- Recipient's Network -|
Author ==> MSA/Transmitter --> / --> Receiver/MDA ==> Recipient
See MHS Models for more models and terminology.
Envelope Addresses: (used by mail system)
Header Addresses: (for users' convenience)
The Helo Name identifies an MTA requesting a mail session. The identity of the Agent responsible for this session is usually the last few parts of the Helo Name. This should be a registered domain name.
HELO this is server7.dallas.texas.mailsystem.us
The Return Address identifies the Author of each message in the session.
I have mail from firstname.lastname@example.org
The From Address is how the author would like his address to be seen by the Recipient.
The Reply-To Address allows the author to designate a different address for replies.
IP-based (SPF, SenderID, CSV, PTR)
- check the IP address of the transmitter
- fast, minimum mail-transfer overhead
- cryptographically verify the entire message including headers and body
- end-to-end protocol allows arbitrary forwarding
- high security
Barriers to adoption of authentication methods
Hurdles that authentication methods must avoid or overcome, in order of decreasing severity:
1) Required simultaneous upgrades in software or setup. (Flag Day)
2) Required widespread adoption by Agents before any benefit is realized by Recipients.
(The "chicken-and-egg" problem")
3) Required widespread adoption of one company's method or service.
4) Changes that cause a temporary degradation in service.
(Don't worry, things will get better when deployment is complete.)
5) Changes in current practices.
a) A well-established and standards-compliant practice.
b) A widespread but non-standardized practice. ("Misuse" of Return Address)
c) A widespread but non-compliant practice. (bad HELO name)
d) An already unacceptable practice. (open relays)
6) Costs to senders.
a) Loss of mail due to mistakes by others. (SPF "forwarding problem")
b) Registration fees or administrative costs.
Economics of email abuse
$200B annual benefit of email
$20B cost of abuse
100M users x ($.25/day deleting spam + $100/yr false rejects)
$2B benefit to anti-spam industry
100 companies x $20M/yr
$0.2B benefit to spammers
10K spammers x $20K/yr
$0.02B cost of an effective authentication/reputation system
10M users x $2/yr
100K companies x $200/yr (90% internal, 10% external services)
It is difficult to get a man to understand something when his salary depends on his not understanding it. -- Upton Sinclair