A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
- update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.
Posts tagged ‘DomainKeys’
Iconix Phishing Protection
eWeek Article misinforms readers on Yahoo Domain Keys
“Scammers Exploit DomainKeys Anti-phishing Weapon.” So screams the headline in a recent eWeek article.
Oh boy. Here we go again. Another uninformed article from a tech writer who couldn’t learn from the response to the uninformed articles about spammers abusing SPF. These articles are really dangerous. They lack any understanding about what SPF and Yahoo! Domain! Keys! actually are intended to accomplish. The articles are read by decision makers and implementers who haven’t taken the time to read up on these new technologies and they take the article at face value.
eWeek has an area for comments on its articles. One insightful comments is purportedly by Dave Anderson CEO Sendmail. He says “Authentication does not prevent fraud. It does not prevent spam. It does prevent impersonation. None of the proponents has ever suggested otherwise. Once we have email authentication we know who is sending emails and can take many actions to prevent abuse.”
It isn’t a shock to anyone but these tech writers that an open standard which can be used by anyone, is used by a spammer. Merely having a SPF record or a Domain Key should not grant passage to a message. Instead it verifies the source of the message.
The article mentions spammers using domain keys with a yahoo account. Great! If every spammer did that, when you saw a yahoo return address, you would be guaranteed the spam came through the Yahoo system and you know who to complain to.
The closing paragraph of the article is the most interesting. And most likely the most factually incorrect part of the article. “They [phishers] then send out normal phishing messages that take the recipient to an attacker-controlled page located on the bank’s server. These attacks are insidious because the victim is visiting a legitimate site, security experts warn.” According to this the phisher already has hacked the banks server. If this is the case, game over. Phishing is unnecessary, they are inside the banks server. Most likely the author was trying to say the phishing site often uses images from the legitimate server to maintain the same look and feel.
The thing that galls me most about this horrible article is that I learned about it through a SANS newsletter. They passed the URL on and quoted the article without comment. Its as if they were endorsing this article.
FTC says NO to Do Not Email List
Although authorized by the (YOU)CanSPAM act to create a national email list, the Federal Trade Commission has declined to do so according to news.com. The article quotes commission members as saying such a list would be ineffective and burdensome to the consumer.
Instead the highlighted two emerging mail authentication technologies SPF and Domain Keys as like effective weapons in the anti-spam battle.
I tend to agree with this assessment. Unless your mailbox is already hopelessly over run with spam and cant get any worse, I would never risk giving out my email address to an anti-spam list.
