When it comes to proposed technical solutions to spam, Im a pessimist in general and confirmed skeptic at heart. Such proposals, in their attempts to make spamming impossible, invariably force everyone to change all their mailing software, dooming any practical prospects of the plan.
However, “invariably” could be too strong a word. For example, Yahoo, which claims to be the largest mail provider in the U.S., recently proposed a domain-level authentication system to combat spam. Whats interesting here is its conscious attempt not to overreach. The company is still being circumspect in releasing details of its “Domain Keys” system publicly because the proposal is still being formulated, but officials did share the substance of the plan.
What would SMTP authentication accomplish? It wouldnt, in and of itself, prevent someone from spamming. What it would do is allow spammers to be identified and effectively blacklisted.
Authentication systems usually involve digital certificates, perhaps even for each user. For e-mail the sender might sign each message with his or her private key, and after looking up the senders public key in some publicly-available system, usually a certificate authority, the recipient could confirm that the message was in fact signed by the person claiming to be the sender.
Yahoos Domain Keys proposal has two interesting innovations that make it different and intriguing: First, authentication is only performed on a domain level, not the user level.
For example, in a world running the Domain Keys system if you get a message from email@example.com, you could confirm that it really did come from hotmail.com. Thats well and good in the case of Hotmail, since its safe to assume that Hotmail has enough internal authentication that the sending user really was wacka-wacka.
But what about a message from firstname.lastname@example.org? You may be able to confirm that it really came from fraunkensteen.com, but did it really come from igor? This actually could be an issue if mail.fraunkensteen.com isnt very picky about who it accepts SMTP connections from. Some have suggested that spammers could simply move to a series of new, cheap throwaway domains as old ones become blacklisted. This is a reasonable concern, but Im not sure how serious it is.
The other interesting innovation with Yahoos plan is that no fancy and expensive certificate authorities are involved. Instead, the domains public key is stored in DNS, where everyone can get at it fairly easily to check signatures.
Domain Keys would also present a problem to users (like me) who use a From: address with a domain different that the one for the SMTP server sending the message. Because the From: address is the most obvious spot to check for domain authentication, its the one used by Domain Keys (at least in the initial proposal) for recipients to check.
Certainly, I agree that if you have to pick one address to check, From: is the only one to pick. Still, many users have From: addresses with a different domain than their SMTP server. Domain Keys would cause problems, at least in the short term, for folks that travels and for users in Internet cafes. No doubt it would burden administrators who will have to make sure that client systems are using the right SMTP server to correspond to their From: address, something that doesnt matter now.
The transitional period for Domain Keys would also bring its share of problems. In the end, presumably any unsigned mail would need to be treated as untrusted; so once the switch is thrown and respectable people start enforcing authentication, anyone who doesnt implement the system will be unable to send e-mail to the respectable e-mail world.
Trust me, Domain Keys would be on the front pages of every newspaper and even featured in an episode of Friends (or take your pick of a Top Ten show since Friends ends in May). Yet when it happens, expect that there will still be lots of people outraged that they didnt get sufficient notice. Look for lawsuits to commence.
Yahoo! disagrees on this point. In the news article linked above, Brad Garlinghouse, vice president for communication products at Yahoo said: “If we can get only a small percentage of the industry to buy in, we think it can have a dent.”
Ive heard the same theory from other serious people in the industry. So, perhaps Im over reacting.
Yahoos plan goes beyond stopping spam. Halting phishing attacks and certain worms is also a major motivation for Yahoo.
Consider the e-mail worms that appear to come from some address at Microsoft, such as Xombe, the most recent one, which appears to come from email@example.com. This kind of attack would never get through even the first time under Domain Keys, because it wouldnt actually come from the address it now appears to come from.
Speaking of worms, its worth noting that one of the major innovations in e-mail worm technology a couple of years ago was the inclusion of an SMTP engine as part of the worm code itself. All of these attacks would have to be upgraded by hackers to even attempt to function under domain keys.
Domain Keys stops these worms from using their current mode of operation, which is to harvest addresses off the victims system and use them both as the senders address and the recipients. Since the worm wouldnt have access to the private key for the From: address domain, its progress is mostly stopped.
The best the worm author could do (correct me if Im wrong) is to hard-code the private key for one domain or multiple domains to which he or she has access to the private key. This would be a bad idea (for them) for a couple reasons: one, it might make it easier to trace the author of the worm; two, either the site could be taken down or the keys regenerated and the worm would die quickly.
Can Yahoo Actually Do
If this proposal is ever to get off the ground, the next step, after feedback to Yahoo, will be a standards process with a proposed standard from Yahoo.
Since every mail server on the Internet will have to implement Domain Keys if it wants to send mail, for all practical purposes there will need to be monetarily free and open-source implementations available. If it looks promising, at some point early in that process— because the spam problem is so urgent—some people will want to implement it even if the standards process is incomplete.
There are plenty of mail servers in the world running on a lot of different platforms. A few of them are more important than others, such as Sendmail, QMail, Exchange and Notes. The free implementations of Domain Keys will have to cover a very large percentage of mail servers in use.
So what would be the critical mass of servers needed to implement the technology before it could be considered dominant, or implemented enough that one could say that its unreasonable for people not to implement it? How do we quantify this critical mass?
The answer would have to be framed in terms of e-mail users who use the servers in question. Yahoo, AOL and Microsoft joined in an alliance against spam last year. If all three members of the coalition were to endorse one technology and promise to implement it, that move would represent a huge percentage of Internet mail. It would be hard for other vendors and services to ignore such an initiative.
At some point, governments and large corporations would also adopt such a technology and require others who want to communicate with them to implement it too.
If I sound enthusiastic, Im really more skeptical than that. Remember, this is a proposal to require all mail server operators to change their software. Its a proposal to change the most widely-used protocols on the Internet.
Something of this magnitude isnt done unless its really, really necessary. And (this is important) you absolutely have to get it right the first time.
As Yahoo points out, this is why theyre asking for feedback on their proposal.
There are other potential problems with domain keys: The system would increase the processing load on every mail server by adding digital signing to the process, and I assume it would also increase the amount of DNS traffic a fair amount as recipient servers look up the public keys of the senders.
Authentication also means a step away from anonymity for users on the Internet. This doesnt bother me so much, but it does bother a lot of other people. Its possible, certainly with a system like Domain Keys, for a domain to keep its users anonymous even if the fact that mail is coming from it is not hidden. If you feel that mail from that domain is not trustworthy you can block it.
Domain Keys is a fascinating idea most because, in its attempt not to overreach, it demonstrates how formidable a challenge it is to make a technical solution to spam within the existing Internet infrastructure. Even Domain Keys requires changes so widespread that fundamental that its easy to envision a rocky transition period at a minimum. Spam is a tumor, rapidly growing into the body of Internet email and choking the life out of it. Surgery like Domain Keys can be painful and unpleasant and its not always successful, but perhaps well really try it before email actually dies.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out
More from Larry Seltzer