Email

1
Email Then, Now, and Later

• Eric Allman
• Thom OConnor
• Sendmail, Inc.

2
A (Very) Brief History of Email

• Email springs from the ArpaNET as an afterthought
  special form of file transfer
• Slow networks, low volume, limited audience
  (academic and research)
• Quickly became a killer app
• 1984 Internet appears, still limited audience
• April 30, 1995 The rules change Internet is
  privatized net becomes available to anyone with
  money for any purpose
• Some privately held backbones prior to this, but
  limited commercial use because of government
  rules
• Email becomes a critical part of the business
  infrastructure

3
Where Are We Right Now?

• Good (but could be better) timely, anywhere
  access, reasonable marginal cost, ability to file
  and store, searchable (sort of), can auto-handle,
  elements of privacy and reliability
• Not so good spam and viruses are here to stay
• When theres money to be made, people will figure
  out how to make money
• Think of spam as roaches you can keep them under
  control but not eliminate them (Dave Crocker)
• Commercial entities want to use email to supplant
  physical mail bills, statements, ads, trade
  acknowledgements, etc.
• Traffic load keeps going up this isnt going to
  change even when we fix the spam problem

4
Pressures Placed on Email Today

• Summary better control and access, more secure,
  reliable, and flexible
• Message filtering and filing capabilities on the
  server brought down to the end-user level (better
  control)
• Integration of wireless access with traditional
  methods of access (better access)
• Synchronization of data regardless of access
  method (more flexible)
• Message validity and classification (more secure,
  more reliable)

5
Better Control

• Message filtering and filing capabilities
• First came anti-virus, content filtering, and
  anti-spam basics on a site-wide level
• Soon after, it was Classes of Service, with
  different groups of users with different needs
• Now its complete per-user control
• SIEVE filtering and fileinto (RFC 3028)
• SMS notification and forwarding
• User-based classifications of what is valid and
  not valid (spam) email
• Need to push per-user controls out to the
  perimeter

6
Better Access

• Everything going wireless and everyone going
  mobile (obvious)
• Security (and privacy) of information is a major
  challenge
• The basic protocols exist to provide the access,
  but not easily assembled HTTP/HTTPS,
  IMAP/IMAPS, WAP, iMODE, RSS, WebDAV, and a mix of
  proprietary protocols (e.g., Blackberry)
• Users want all functions on all devices

7
More Secure

• Everyone talks the security talk, but not enough
  walk the security walk
• Some ISPs block or redirect outgoing port 25
• Challenges interoperability (PKI, certificate
  management), MUA (client) implementation
  differences, ease of use, corporate enforcement
  policy
• Being driven by legal and policy issues
• SEC, HIPPA, Sarbanes-Oxley
• Continued slow growth of STARTTLS and SMTPS,
  IMAPS, POPS, Public Key encryption (PGP
  S/MIME), HTTPS
• Still need a trigger to kick-start wider usage of
  encryption in email

8
More Reliable

• The clear need for authentication
• Sender domain authentication is the necessary
  precursor to the next big thing in email
• Authentication introduces accountability, message
  identification, and prioritization
• Service providers will need to have their users
  authenticate before submitting mail (RFC 2476)
  transitive accountability
• The best authentication is one based on proven
  security techniques such as SMTP AUTH (RFC 2554)

9
What You Should Think AboutWhen Designing an
Email System Today

• Scaling for the present and the future
• Regulatory compliance
• Reliability appropriate for your needs
• E.g., redundancy if necessary (but expensive)
• Resilience against Denial of Service attacks
• Flexibility to do what you need
• Dont get caught up in a single litmus test
• People are more expensive than silicon move work
  from people to computers wherever possible

10
Predictions about the Future (23 years)

• Obvious
• Volume will continue to go up for quite some time
• Spam will be better addressed, albeit not fixed
• Companies will separate their mail based on class
  and outsource a lot of it
• Bill presentment, advertisements, newsletters,
  etc.
• Personal exchange with customers, partners, and
  colleagues will be treated separately and
  differently
• Legal landscape will change e-information will
  be held to stricter standards than paper
• Mail will move toward IM but not fully merge
• SMTP will morph, but there will be no serious
  contender for replacement

11
Spam Predictions (Next 23 Years)

• ePostage wont succeed for several years
• User resistance
• Vendor bickering
• Pragmatic problems
• Authentication techniques will help dramatically,
  but will not solve the problem by themselves
• Fraud will be directly addressed and reduced
• Spammers will adapt to the extent they can, but
  they will be more exposed
• Accreditation/Reputation systems will gain a
  foothold, but not globally value will be
  debatable
• Most pure content-filtering techniques will
  stumble because they just cant keep up

12
Problems Without (Current) Solutions

• Enforcing encryption by the message recipient (I
  dont want to accept unencrypted mail from
  Travelocity)
• Automated outgoing encryption (per domain and/or
  per recipient) available on a limited basis
• Better PKI DNS use for key distribution may not
  scale well, especially to larger keys
• MUA support for new functionality e.g., display
  authentication status Microsoft is doing some

13
Conclusions

• Email is not dead, far from it expect more, much
  more but dont ignore serious challenges
• SMTP is not dead, but it will change to meet the
  demands (e.g., SUBMITTER extension)
• Authentication will be a major and important
  change, but wont immediately do as much as we
  would like
• Spam will be dealt with, albeit not without cost
  to both legitimate senders and receivers
• Dealt with doesnt mean annihilation, just
  reducing it to a dull roar

14
Questions?