Yahoo's domain authentication proposal is intriguing, both in its conservative approach and in the company's considerable clout and credibility. But any system that proposes to change all the e-mail servers on the Internet faces an uphill climb at best. B
When it comes to proposed technical solutions to spam, Im a pessimist in general and confirmed skeptic at heart. Such proposals, in their attempts to make spamming impossible, invariably force everyone to change all their mailing software, dooming any practical prospects of the plan.
However, "invariably" could be too strong a word. For example, Yahoo, which claims to be the largest mail provider in the U.S., recently proposed a domain-level authentication system to combat spam. Whats interesting here is its conscious attempt not to overreach. The company is still being circumspect in releasing details of its "Domain Keys" system publicly because the proposal is still being formulated, but officials did share the substance of the plan.
What would SMTP authentication accomplish? It wouldnt, in and of itself, prevent someone from spamming. What it would do is allow spammers to be identified and effectively blacklisted.
Authentication systems usually involve digital certificates, perhaps even for each user. For e-mail the sender might sign each message with his or her private key, and after looking up the senders public key in some publicly-available system, usually a certificate authority, the recipient could confirm that the message was in fact signed by the person claiming to be the sender.
Yahoos Domain Keys proposal has two interesting innovations that make it different and intriguing: First, authentication is only performed on a domain level, not the user level.
For example, in a world running the Domain Keys system if you get a message from firstname.lastname@example.org, you could confirm that it really did come from hotmail.com. Thats well and good in the case of Hotmail, since its safe to assume that Hotmail has enough internal authentication that the sending user really was wacka-wacka.
But what about a message from email@example.com? You may be able to confirm that it really came from fraunkensteen.com, but did it really come from igor? This actually could be an issue if mail.fraunkensteen.com isnt very picky about who it accepts SMTP connections from. Some have suggested that spammers could simply move to a series of new, cheap throwaway domains as old ones become blacklisted. This is a reasonable concern, but Im not sure how serious it is.
The other interesting innovation with Yahoos plan is that no fancy and expensive certificate authorities are involved. Instead, the domains public key is stored in DNS, where everyone can get at it fairly easily to check signatures.
Domain Keys would also present a problem to users (like me) who use a From: address with a domain different that the one for the SMTP server sending the message. Because the From: address is the most obvious spot to check for domain authentication, its the one used by Domain Keys (at least in the initial proposal) for recipients to check.
Certainly, I agree that if you have to pick one address to check, From: is the only one to pick. Still, many users have From: addresses with a different domain than their SMTP server. Domain Keys would cause problems, at least in the short term, for folks that travels and for users in Internet cafes. No doubt it would burden administrators who will have to make sure that client systems are using the right SMTP server to correspond to their From: address, something that doesnt matter now.
Next page: Squishing Worms...
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.