Yahoo Proposes Anti-Spam Standard For Internet - Page 2

...">

The transitional period for Domain Keys would also bring its share of problems. In the end, presumably any unsigned mail would need to be treated as untrusted; so once the switch is thrown and respectable people start enforcing authentication, anyone who doesnt implement the system will be unable to send e-mail to the respectable e-mail world.

Trust me, Domain Keys would be on the front pages of every newspaper and even featured in an episode of Friends (or take your pick of a Top Ten show since Friends ends in May). Yet when it happens, expect that there will still be lots of people outraged that they didnt get sufficient notice. Look for lawsuits to commence.

Yahoo! disagrees on this point. In the news article linked above, Brad Garlinghouse, vice president for communication products at Yahoo said: "If we can get only a small percentage of the industry to buy in, we think it can have a dent."

Ive heard the same theory from other serious people in the industry. So, perhaps Im over reacting.

Yahoos plan goes beyond stopping spam. Halting phishing attacks and certain worms is also a major motivation for Yahoo.

Consider the e-mail worms that appear to come from some address at Microsoft, such as Xombe, the most recent one, which appears to come from windowsupdate@microsoft.com. This kind of attack would never get through even the first time under Domain Keys, because it wouldnt actually come from the address it now appears to come from.

28571.gif

Speaking of worms, its worth noting that one of the major innovations in e-mail worm technology a couple of years ago was the inclusion of an SMTP engine as part of the worm code itself. All of these attacks would have to be upgraded by hackers to even attempt to function under domain keys.

Domain Keys stops these worms from using their current mode of operation, which is to harvest addresses off the victims system and use them both as the senders address and the recipients. Since the worm wouldnt have access to the private key for the From: address domain, its progress is mostly stopped.

The best the worm author could do (correct me if Im wrong) is to hard-code the private key for one domain or multiple domains to which he or she has access to the private key. This would be a bad idea (for them) for a couple reasons: one, it might make it easier to trace the author of the worm; two, either the site could be taken down or the keys regenerated and the worm would die quickly.

Next page: Can Yahoo Actually Do It?