A 2019 SIGNAL Conversation on Anti-Spoofing in Voice & Email

August 14, 2019
Written by

signal-2019-anti-spoofing-email-voice.png

Recently, at Twilio’s SIGNAL 2019 Conference in San Francisco my colleague Christer Fahlgren and I had a chance to lead an on stage conversation with those companies and organizations that have played an active role in shaping Internet standards designed to fight calling and email abuse on a massive scale.

The wildly popular adoption and proliferation of email can be credited for helping grow the Internet. The only thing more staggering than the proliferation of email as it ascended to become the provider of the fundamental and most universal digital identifier is the degree to which this open platform framework has been abused. If imitation is the sincerest form of flattery then mass exploits are certainly an acknowledgment of a technology’s ability to connect the world.

Email in the early 2000’s was like Times Square in the late 70’s, a terrifying place. Unsubscribe links were often used as beacons by spammers to inform them of what was and what wasn’t a live email address. Javascript had just been banned in HTML emails which came with its own set of exploits and challenges. The basic question persisted: who is sending me the email and can I trust that it’s from who they claim to be?

With abuse reaching a fever pitch in the late 90’s and early 2000’s, something had to be done to help restore trust in the inbox. Identity and transparency controls were needed for a messaging system that was designed by academics and never intended to be the de facto means of communicating on the Internet. Starting in 2003/2004, email authentication began to take center stage as a means of detecting and preventing abuse. Standards were developed in the IETF (Internet Engineering Task Force) that took the form of SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain Message Authentication Reporting & Conformance). For more information on how email authentication can affect where your emails land and how they’re treated by mailbox providers check out the presentation on authentication and deliverability given by Jacob Hansen, Twilio SendGrid’s Expert Services Manager, and Justin Foulk, a Senior Implementation Manager.

By creating a trust framework and means of rejecting spoofed email when properly deployed, these standards have proven beneficial not only for recipients and the Internet at large, but for companies that have made email a staple of their overall marketing and communications strategy. Despite the effectiveness of these standards to prevent abuse of a brand and protect consumer inboxes, adoption has been slow (based on recent data from 250ok and Valimail respectively).

Global DMARC adoption rates through 2019

 

DMARC usage and enforcement rates

Similarly, as voice communications have moved beyond copper wires, the need to protect legitimate calling services has become paramount in retaining caller trust and combating the growth of abuse to massive levels. In November 2018, FCC Chairman Ajit Pai called on carriers to voluntarily implement SHAKEN/STIR by the end of 2019, under threat of regulation if implementation is not undertaken. SHAKEN (Secure Handling of Asserted information using toKENs)/STIR (Secure Telephony Identity Revisited) has come into the media spotlight as carriers and technology companies seeking to connect their customers via voice and other services are banding together to address a similar rise in spoofing and crime that comes in the form of robocalls.

There is perhaps nothing more annoying than your phone ringing and the number that comes up is either your own number, or one that’s only a digit off. This phenomenon happens more than you may think—by some accounts 9500 of these calls happen every second! According to complaint data from the FTC, robocalls are the most complained about form of abuse.

Robocalling vs. Live Caller volume from 2014-2018

Like phishing -- which benefits greatly from spoofing an email from address or domain-- using a person’s own number or a neighborhood number to call them is a kind of social engineering to compel the recipient of a robocall to answer the phone. At the same time, older populations are being preyed upon with carefully crafted messages purporting to be from the IRS, AARP and any other trusted organization. The phone for this group is literally a lifeline so the call must be trusted, otherwise the result could be catastrophic. Carriers such as Comcast, AT&T, T-Mobile and Verizon have announced their support for SHAKEN/STIR as means of re-establishing trust with the calling number and more easily tracing robocalls. With the FCC threatening direct action, the pressure is on across the voice ecosystem to implement technology aimed at helping establish the authenticity of calls and tracing fraudulent ones. For more information on the technical details of SHAKEN/STIR and the role that analytics companies play in the fight against robocalls, check out the presentation made by Christer Fahlgren and Tim Beyers of Twilio’s Voice team, also at Twilio’s SIGNAL 2019 conference.

The panel discussion Christer and I moderated at Signal 2019 with the authors of DKIM/DMARC and SHAKEN/STIR shed light on what anti-abuse looked like before the advent of Internet standards aimed at curtailing bad actors and what the future holds for the phone and the inbox.

Companies and organizations are actively working to bring voice solutions to market that build on the standards authored by people such as Jon Peterson (Neustar), Mary Barnes (iconectiv) and Chris Wendt (Comcast), in addition to Steve Jones (LinkedIN) and Murray Kucherawy (Facebook), all of whom were heavily involved in the development of DKIM and DMARC.

You can view the hour long conversation Christer Fahlgren, Twilio’s Voice Architect, and I had on stage with the aforementioned creators.

Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. He's currently concerned with trust in Voice and Email communications. He can be reached at lshneyder [at] twilio.com.