[nospam] ARTICLE: Yahoo Proposes Anti-Spam Standard For Internet
- From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
- To: nospam@xxxxxxxxxxxxx
- Date: Tue, 13 Jan 2004 16:10:04 -0500
Thought I would post this one to keep the list alive.
Jim Kenzig
http://www.spamguerilla.com
Yahoo Proposes Anti-Spam Standard For Internet
http://www.eweek.com/print_article/0,3048,a=116049,00.asp
January 12, 2004
By Larry Seltzer
When it comes to proposed technical solutions to spam, I'm a pessimist in
general and confirmed skeptic at heart. Such proposals, in their attempts to
make spamming impossible, invariably force everyone to change all their
mailing software, dooming any practical prospects of the plan.
However, "invariably" could be too strong a word. For example, Yahoo, which
claims to be the largest mail provider in the U.S., recently proposed a
domain-level authentication system to combat spam. What's interesting here
is its conscious attempt not to overreach. The company is still being
circumspect in releasing details of its "Domain Keys" system publicly
because the proposal is still being formulated, but officials did share the
substance of the plan.
What would SMTP authentication accomplish? It wouldn't, in and of itself,
prevent someone from spamming. What it would do is allow spammers to be
identified and effectively blacklisted.
Authentication systems usually involve digital certificates, perhaps even
for each user. For e-mail the sender might sign each message with his or her
private key, and after looking up the sender's public key in some
publicly-available system, usually a certificate authority, the recipient
could confirm that the message was in fact signed by the person claiming to
be the sender.
Yahoo's Domain Keys proposal has two interesting innovations that make it
different and intriguing: First, authentication is only performed on a
domain level, not the user level.
For example, in a world running the Domain Keys system if you get a message
from wacka-wacka@xxxxxxxxxxx, you could confirm that it really did come from
hotmail.com. That's well and good in the case of Hotmail, since it's safe to
assume that Hotmail has enough internal authentication that the sending user
really was wacka-wacka.
But what about a message from igor@xxxxxxxxxxxxxxxxx? You may be able to
confirm that it really came from fraunkensteen.com, but did it really come
from igor? This actually could be an issue if mail.fraunkensteen.com isn't
very picky about who it accepts SMTP connections from. Some have suggested
that spammers could simply move to a series of new, cheap throwaway domains
as old ones become blacklisted. This is a reasonable concern, but I'm not
sure how serious it is.
The other interesting innovation with Yahoo's plan is that no fancy and
expensive certificate authorities are involved. Instead, the domain's
private key is stored in DNS, where everyone can get at it fairly easily to
check signatures.
Domain Keys would also present a problem to users (like me) who use a From:
address with a domain different that the one for the SMTP server sending the
message. Because the From: address is the most obvious spot to check for
domain authentication, it's the one used by Domain Keys (at least in the
initial proposal) for recipients to check.
Certainly, I agree that if you have to pick one address to check, From: is
the only one to pick. Still, many users have From: addresses with a
different domain than their SMTP server. Domain Keys would cause problems,
at least in the short term, for folks that travels and for users in Internet
cafes. No doubt it would burden administrators who will have to make sure
that client systems are using the right SMTP server to correspond to their
From: address, something that doesn't matter now.
Next page: Squishing Worms...
<http://www.eweek.com/article2/0,4149,1433674,00.asp>
The transitional period for Domain Keys would also bring its share of
problems. In the end, presumably any unsigned mail would need to be treated
as untrusted; so once the switch is thrown and respectable people start
enforcing authentication, anyone who doesn't implement the system will be
unable to send e-mail to the respectable e-mail world.
Trust me, Domain Keys would be on the front pages of every newspaper and
even featured in an episode of Friends (or take your pick of a Top Ten show
since Friends ends in May). Yet when it happens, expect that there will
still be lots of people outraged that they didn't get sufficient notice.
Look for lawsuits to commence.
Yahoo! disagrees on this point. In the news article linked above, Brad
Garlinghouse, vice president for communication products at Yahoo said: "If
we can get only a small percentage of the industry to buy in, we think it
can have a dent."
I've heard the same theory from other serious people in the industry. So,
perhaps I'm over reacting.
Yahoo's plan goes beyond stopping spam. Halting phishing attacks and certain
worms is also a major motivation for Yahoo.
Consider the e-mail worms that appear to come from some address at
Microsoft, such as Xombe, the most recent one, which appears to come from
windowsupdate@xxxxxxxxxxxxxx
<http://www.eweek.com/article2/0,4149,1429832,00.asp> This kind of attack
would never get through even the first time under Domain Keys, because it
wouldn't actually come from the address it now appears to come from.
Speaking of worms, it's worth noting that one of the major innovations in
e-mail worm technology a couple of years ago was the inclusion of an SMTP
engine as part of the worm code itself. All of these attacks would have to
be upgraded by hackers to even attempt to function under domain keys.
Domain Keys stops these worms from using their current mode of operation,
which is to harvest addresses off the victim's system and use them both as
the sender's address and the recipient's. Since the worm wouldn't have
access to the private key for the From: address domain, its progress is
mostly stopped.
The best the worm author could do (correct me if I'm wrong) is to hard-code
the private key for one domain or multiple domains to which he or she has
access to the private key. This would be a bad idea (for them) for a couple
reasons: one, it might make it easier to trace the author of the worm; two,
either the site could be taken down or the keys regenerated and the worm
would die quickly.
Next page: Can Yahoo Actually Do It?
<http://www.eweek.com/article2/0,4149,1433675,00.asp>
If this proposal is ever to get off the ground, the next step, after
feedback to Yahoo, will be a standards process with a proposed standard from
Yahoo.
Since every mail server on the Internet will have to implement Domain Keys
if it wants to send mail, for all practical purposes there will need to be
monetarily free and open-source implementations available. If it looks
promising, at some point early in that process? because the spam problem is
so urgent?some people will want to implement it even if the standards
process is incomplete.
There are plenty of mail servers in the world running on a lot of different
platforms. A few of them are more important than others, such as Sendmail,
QMail, Exchange and Notes. The free implementations of Domain Keys will have
to cover a very large percentage of mail servers in use.
So what would be the critical mass of servers needed to implement the
technology before it could be considered dominant, or implemented enough
that one could say that it's unreasonable for people not to implement it?
How do we quantify this critical mass?
The answer would have to be framed in terms of e-mail users who use the
servers in question. Yahoo, AOL and Microsoft joined in an alliance against
spam last year. <http://www.eweek.com/article2/0,4149,1047348,00.asp> If all
three members of the coalition were to endorse one technology and promise to
implement it, that move would represent a huge percentage of Internet mail.
It would be hard for other vendors and services to ignore such an
initiative.
At some point, governments and large corporations would also adopt such a
technology and require others who want to communicate with them to implement
it too.
If I sound enthusiastic, I'm really more skeptical than that. Remember, this
is a proposal to require all mail server operators to change their software.
It's a proposal to change the most widely-used protocols on the Internet.
Something of this magnitude isn't done unless it's really, really necessary.
And (this is important) you absolutely have to get it right the first time.
As Yahoo points out, this is why they're asking for feedback on their
proposal.
Check out eWEEK.com's Special Report: Canning Spam for all you need on the
most troublesome problem on the Internet today.
<http://www.eweek.com/category2/0,4148,1304524,00.asp>
There are other potential problems with domain keys: The system would
increase the processing load on every mail server by adding digital signing
to the process, and I assume it would also increase the amount of DNS
traffic a fair amount as recipient servers look up the public keys of the
senders.
Authentication also means a step away from anonymity for users on the
Internet. This doesn't bother me so much, but it does bother a lot of other
people. It's possible, certainly with a system like Domain Keys, for a
domain to keep its users anonymous even if the fact that mail is coming from
it is not hidden. If you feel that mail from that domain is not trustworthy
you can block it.
Domain Keys is a fascinating idea most because, in its attempt not to
overreach, it demonstrates how formidable a challenge it is to make a
technical solution to spam within the existing Internet infrastructure. Even
Domain Keys requires changes so widespread that fundamental that it's easy
to envision a rocky transition period at a minimum. Spam is a tumor, rapidly
growing into the body of Internet email and choking the life out of it.
Surgery like Domain Keys can be painful and unpleasant and it's not always
successful, but perhaps we'll really try it before email actually dies.
Security Center Editor Larry Seltzer <mailto:larryseltzer@xxxxxxxxxxxxx> has
worked in and written about the computer industry since 1983. Be sure to
check out eWEEK.com's Security Center at http://security.eweek.com for the
latest security news, views and analysis.
*********************************************************
This Weeks Sponsor IDP SpamRejection
Anti Spam Filtering Service
15 Day Free Trial.
100% Money Back Guaranteed!
http://www.spamrejection.com/default.asp?partner=thethin
*********************************************************
****************************************************
To unsubscribe from this list go to:
//www.freelists.org/list/nospam
****************************************************
Other related posts:
- » [nospam] ARTICLE: Yahoo Proposes Anti-Spam Standard For Internet
