Yahoo Proposes Anti-Spam Standard For Internet - Page 3

Download the authoritative guide: The Ultimate Guide to IT Security Vendors


If this proposal is ever to get off the ground, the next step, after feedback to Yahoo, will be a standards process with a proposed standard from Yahoo.

Since every mail server on the Internet will have to implement Domain Keys if it wants to send mail, for all practical purposes there will need to be monetarily free and open-source implementations available. If it looks promising, at some point early in that process— because the spam problem is so urgent—some people will want to implement it even if the standards process is incomplete.

There are plenty of mail servers in the world running on a lot of different platforms. A few of them are more important than others, such as Sendmail, QMail, Exchange and Notes. The free implementations of Domain Keys will have to cover a very large percentage of mail servers in use.

So what would be the critical mass of servers needed to implement the technology before it could be considered dominant, or implemented enough that one could say that its unreasonable for people not to implement it? How do we quantify this critical mass?

The answer would have to be framed in terms of e-mail users who use the servers in question. Yahoo, AOL and Microsoft joined in an alliance against spam last year. If all three members of the coalition were to endorse one technology and promise to implement it, that move would represent a huge percentage of Internet mail. It would be hard for other vendors and services to ignore such an initiative.

At some point, governments and large corporations would also adopt such a technology and require others who want to communicate with them to implement it too.

If I sound enthusiastic, Im really more skeptical than that. Remember, this is a proposal to require all mail server operators to change their software. Its a proposal to change the most widely-used protocols on the Internet.

Something of this magnitude isnt done unless its really, really necessary. And (this is important) you absolutely have to get it right the first time.

As Yahoo points out, this is why theyre asking for feedback on their proposal. /zimages/7/28571.gif

There are other potential problems with domain keys: The system would increase the processing load on every mail server by adding digital signing to the process, and I assume it would also increase the amount of DNS traffic a fair amount as recipient servers look up the public keys of the senders.

Authentication also means a step away from anonymity for users on the Internet. This doesnt bother me so much, but it does bother a lot of other people. Its possible, certainly with a system like Domain Keys, for a domain to keep its users anonymous even if the fact that mail is coming from it is not hidden. If you feel that mail from that domain is not trustworthy you can block it.

Domain Keys is a fascinating idea most because, in its attempt not to overreach, it demonstrates how formidable a challenge it is to make a technical solution to spam within the existing Internet infrastructure. Even Domain Keys requires changes so widespread that fundamental that its easy to envision a rocky transition period at a minimum. Spam is a tumor, rapidly growing into the body of Internet email and choking the life out of it. Surgery like Domain Keys can be painful and unpleasant and its not always successful, but perhaps well really try it before email actually dies.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out eWEEK.coms Security Center at for the latest security news, views and analysis.

More from Larry Seltzer