A British computer scientist has proposed a new twist on authentication that would allow e-mail senders to transport their reputations from IP address to IP address. He’s also asking for feedback on the idea from marketers.
“If this idea is stupid, I want to know about it right away,” said creator John Graham-Cumming.
Dubbed Trusted E-mail Connection Signing, or TECS, the plan would require e-mail senders to “sign” their connection when sending e-mail as opposed to signing the messages, which is the case with DomainKeys.
Among the advantages of TECS is that it would allow e-mail receivers to decide whether a sender is a spammer without having to use bandwidth processing incoming messages, according to Graham-Cumming.
“What I propose is very different from SPF and DomainKeys because it doesn’t require you to receive any e-mail before making a decision about a connection,” he said. “You want to be able to decide really quickly if someone is bad, and if they are, throw away their connection, and you want to do that before you receive any messages because messages use resources.”
Under the two current main authentication schemes, inbox providers must process incoming mail whether it is from a spammer or not. “DomainKeys and SPF mean you’ve already received the message,” said Graham-Cumming. “That means you’ve already wasted the bandwidth.”
TECS would also address the main flaws associated with relying on whitelists and blacklists of IP addresses to sort spam from non-spam e-mail, according to Graham-Cumming.
“IP addresses must be added to blacklists very fast as spammers churn through zombie machines, and any legitimate e-mailer needs to make sure their mail servers are whitelisting with multiple e-mail providers (e.g. Yahoo!, Gmail, Brightmail, ...) to ensure delivery,” wrote Graham-Cumming in a blog post. “And if a legitimate mailer wants to bring online new servers, with new IP addresses, they have to run through the entire whitelisting process again.”
According to Graham-Cumming, his idea would eliminate the need to go through whitelisting repeatedly and allow e-mail marketers who abide by industry best practices to transport good reputations to new IP addresses.
Currently, he said: “If you’ve built up a good reputation for your IP addresses and you need to change for some reason—say you’ve moved to a different ISP or you’ve decided to bring things in house—you’ve got a whole new set of IP address for which you’ve got to build up a reputation. Ideally, your reputation should be portable.”
The blog post in which he proposes TECS is here:
http://www.jgc.org/blog/2007/02/trusted-email-connection-signing-rev-02.html
