Ternary sorting aims to stop false positives

In the quest to block spam and phishing attempts, legitimate messages often end up collateral damage. Tune your spam filters up and you indeed reduce the amount of spam delivered — but you do so at the cost of false positives. Tune filters down and users are overwhelmed with spam, phishes and malware.

One alternative for the enterprise is to move from binary classification (bad vs. unknown) to a ternary categorization: bad, unknown, known-good. With ternary sorting, bad messages (such as spam and phishing) are still blocked or quarantined, but all other messages coming into the in-box are further categorized according to their perceived legitimacy.

Large service providers have begun segregating the in-box into known-good and unknown messages. The Messaging Anti Abuse Working Group recommends providing users with visual cues: messages backed by authentication, accreditation, reputation and monitoring services should be highlighted in the in-box to indicate messages as genuine and safe.

This best practice for consumer-focused ISPs also provides benefits to the enterprise. After all, helping consumers identify a real-order confirmation is no different from assisting executives to discern their real e-ticket amid fake phishing messages.

Highlighting messages involves establishing a relationship with an e-mail reputation and accreditation service. Here are some terms:

Authentication: The act of confirming that a message comes from its purported source. The sender’s domain is often authenticated — using standards such as Sender ID or DomainKeys Identified Mail (DKIM) — but some services go beyond domains and authenticate the entire From: header.

Accreditation: Before a reputation service starts tracking the reputation of a sender, it accredits the candidate: Is it a real company that can be held accountable? Does it have an established reputation sending e-mails? Some services will simply create an initial reputation score based on the results of the accreditation process; others have more sophisticated technologies and can go as far as granting a sender privileges that are commensurate with accreditation results.

Reputation: Once accredited, a sender’s initial reputation is established. This reputation fluctuates based on the sender’s behavior and its adherence to the acceptable use policy defined by the reputation service.

Monitoring: Reputation services monitor their accredited senders. The best services monitor sending patterns and complaints in real time, and have precise volume and complaint data; they are thus capable of establishing an extremely accurate reputation score for the senders they monitor.

Public key cryptography using SHA-1 or SHA-256 hashing and RSA-512 to RSA-2048 cryptographic signatures are the methods of choice for the authentication segment of the process, as evidenced by DKIM and CertifiedEmail. Reputation data can be embedded within the signed authentication segment (this is the case with CertifiedEmail) or communicated out-of-band to supplement authentication-only protocols , such as DKIM and SenderID. There are no standards for this out-of-band reputation check, though most proposals rely on DNS queries of TXT records held and maintained by a reputation authority.