Sales 877.438.4627 | Support: 866.347.1660 WebMail  |  My Account  |  Support   
:-) Simplicato | The Leading Business Email Hosting and Archiving CompanyTM   Chat Live
With Sales
  Email Archiving & ComplianceEmail HostingAbout UsSupportTechnologyCustomersSign UpSales: 877-438-4627

  SUPPORT
  › Getting Support
  › Configure Email Software
  › DNS Settings + SPF
  › Email Hosting Tools
  › iPhone Configuration


  RESOURCES
  › In the Media
  › Email Hosting FAQ
  › Email Hosting Articles
  › Address Authentication
    › Introduction
    › Requirements
    › The Concept
    › Diagrams
    › Weaknesses
    › How does it work?
    › Authentication Server
    › DNS Settings
    › Sender SMTP Server
    › Recipient SMTP Server
    › The Protocol
    › Message Header
    › Domain Rating Servers
    › Sender Mail Clients
    › Recipient Mail Clients
    › Comparison Analysis
    › Copyright and Licensing
    › Notify Me

Address Authentication Weaknesses

Scenario 1

The Authentication Key is sent to the recipient user, thus it becomes a public domain. Potentially, the recipient user can use the same Key to forge an email as if it comes from the sender. While this scenario is no different than the risks involved with providing your Social Security Number, Credit Card or Bank Account Number that the receiver might abuse the given information, there is less likelihood of abuse if the Authentication Key is changed and expired often. The AVT (Authentication Valid Time) of each Authentication Key and the expiration enables the domain holder to dictate how often a new Authentication Key would be generated, and how long a given Authentication Key is valid.

Furthermore, the Recipient SMTP Server should remove the Authentication Key from the message header to prevent this scenario.

There is a remote possibility that an email would be sent to a Spammer SMTP Server that would like to collect the email address and the Authentication Key. For that reason, the AVT will be used to expire the Authentication Key.

Scenario 2

Spammers can use the same technology to provide their own Authentication Key and send mail with valid email address and Authentication Key.

This scenario is real however it enables the market to use the validity of the sender to rank the sender as a Spammer on a Rating Server if this is the case. Using the authenticated email address, the recipient SMTP Server can use a Rating Server to find out if the mail is sent from a Spammer or not.

Email Hosting providers can provide a mechanism to enable users to report Spam messages from an authenticated email address to a Rating Server. The Email Hosting Provider can use a Rating Server to rate the incoming messages of an authenticated email address and route the message according to the sender email address rating value.

Scenario 3

Theoretically, a user can spoof an email address of another user that use the same SMTP Server. It can happen within a corporate environment, with an ISP or Email Hosting Provider that serves multiple domains with the same set of SMTP Servers.

The solution to this problem is to use SMTP Authentication and to link the SMTP Authentication User with the email address and the email address Authentication Key.

Scenario 4

Today Users have multiple email accounts in their mail client but only one SMTP Server. Since the SMTP Server is one of a few email accounts in the set, it can only have one of the email account's Authentication Key. This prevents the SMTP Server from attaching the AuthKey to other mail accounts.

Phase II of the client implementation process will solve this problem.

 

 
 
   
 
 
 
  Privacy Policy | Terms of Service | Money Back Guarantee | Contact Us | Site Mapclick-to-email

  © 2001-2007 Simplicato™. All Rights Reserved.  Simplicato™ and Backaway™ are trademarks of Simplicato, Inc.