Get three services for $100/mo
May 22, 2007 10:30 PM PDT
Promising antispam technique gets nod
- Related Stories
-
Phishing overtakes viruses and Trojans
January 30, 2007 -
Exterminating the nuisance of spam
November 15, 2006 -
Dell, Symantec team on e-mail security
September 20, 2006 -
E-mail security hero takes on VoIP
August 15, 2006 -
A phishing wolf in sheep's clothing
March 14, 2005 -
Caught in a phishing trap
November 17, 2004 -
Good news: 'Phishing' scams net only $500 million
September 29, 2004 -
Spam volume keeps rising
September 1, 2004 -
Bush OKs spam bill--but critics not convinced
December 16, 2003 -
The father of modern spam speaks
March 26, 2002 -
Microsoft slammed for email security holes
May 4, 2000
A key Internet standards body gave preliminary approval on Tuesday to a powerful technology designed to detect and block fake e-mail messages. It's called DomainKeys Identified Mail, and it promises to give Internet users the best chance so far of stanching the seemingly endless flow of fraudulent junk e-mail.
Yahoo, Cisco Systems, Sendmail and PGP Corporation are behind the push for DomainKeys, which the companies said in a joint statement will provide "businesses with heightened brand protection by providing message authentication, verification and traceability to help determine whether a message is legitimate."
The draft standard that the Internet Engineering Task Force adopted is more promising than most other anti-spam and antiphishing technologies because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.
The way it works is straightforward: if PayPal sends an e-mail notice to customers about their accounts, the company's outgoing mail server will quietly insert a digital signature into the legitimate message. (Because the signature is embedded in the message headers, it's generally not visible to human readers.)
Let's say the recipient has a Yahoo Mail address. Yahoo's mail servers can automatically check PayPal's Internet domain name listing to verify that the digital signature is valid and the message truly originated at Paypal.com. Signatures by authorized third parties are permitted as well, which is useful for outsourced e-mail.
If the signature doesn't check out, the message is probably spam--or a phishing attack designed to try to fool someone into divulging their details about their PayPal account. While the DomainKeys standard doesn't actually specify that messages with invalid signatures should be flagged as junk, Internet service providers are likely to do just that.
DomainKeys explained
DomainKeys works by embedding a digital signature in the headers of an outgoing e-mail message. If the cryptographically secure signature checks out, the message can be delivered as usual. Otherwise, it can be flagged as spam.
Here's an example of an embedded DomainKeys header:
DKIM-Signature a=rsa-sha1; q=dns;
d=example.com;
i=user@eng.example.com;
s=jun2005.eng; c=relaxed/simple;
t=1117574938; x=1118006938;
h=from:to:subject:date;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR
All of these steps represent a belated effort to fix a fundamental problem with Internet e-mail: it was designed in a far more innocent era and came with little built-in security. (An additional benefit of fixing e-mail is that, in addition to targeting phishing attacks, DomainKeys can also help in identifying the kind of spoofed e-mail that led Engadget to falsely report last week that Apple's iPhone would be delayed.)
In the long run, DomainKeys is more promising than existing antispam and antiphishing technologies, which rely on techniques like assembling a "blacklist" of known fraudsters or detecting such messages by trying to identify common characteristics.
But spammers have invented increasingly creative counterattacks, such as inserting image advertisements in the text of messages and appending excerpts from news articles and fiction works in an attempt to defeat the popular antispam method of Bayseian filtering. That kind of counterattack is called Bayesian poisoning.
DomainKeys represents a radical shift in the arms race between phishers, in particular, and Internet users: it's effectively a tactical nuclear attack that can't be countered. The digital signatures, which use public key cryptography, are viewed as unforgeable.
But the DomainKeys approach does suffer from one serious, short-term problem: it's only effective if both the sender and recipient's mail systems are upgraded to support the standard.
Also, it does not do anything to flag junk e-mail sent by a legitimate company, or identify spam sent from a domain name with a true DomainKeys record. By restricting spammers to a limited set of domain names, however, Yahoo believes "a persistent reputation profile can be established for that sending domain" that can be updated over time and posted publicly.
Other advocates so far include antispam vendors and frequent e-mail senders: AOL, EarthLink, IBM, VeriSign, IronPort Systems, Cox Communications and Trend Micro.
MediaPost puts DomainKey adoption at 48 percent among large online retailers. But that doesn't include large ones such as Dell, Wal-Mart Stores, Target, Gap, Macy's and Circuit City, even though they would likely benefit from being able to send authenticated e-mail. Yahoo, on the other hand, has used earlier versions of DomainKeys to sign all outgoing e-mail since 2004.
The Internet Engineering Task Force's preliminary approval does make DomainKeys, or DKIM, an official proposed standard. But because it's the only technology that has achieved that status--Microsoft's competing Sender ID idea has not--it has a visible edge.
In a blog posting on Tuesday, Yahoo engineer Mark Delany said: "Everything hinges on wide-spread adoption. Now that DKIM is on Standards Track, the hurdle to global adoption has been greatly reduced, but not cleared. I joked earlier that someone might not have heard of DKIM, but the email industry is so big and diverse that evangelizing, education and encouragement are needed to ensure the success of DKIM."
While the Sender ID program is similar in principle to DomainKeys, its acceptance has been limited because Microsoft initially did not agree to license patents in ways that are compatible with GNU General Public License. For its part, Yahoo has agreed to open up a number of its pending and granted patents for use with DomainKeys.
DomainKeys Identified Mail is a reworked and enhanced version of the DomainKeys concept initially invented by Yahoo. The newer version supports features like greater security and digital signatures by authorized third parties. A list of frequently asked questions describes how to configure an e-mail server to use DomainKeys.
See more CNET content tagged:
DomainKeys,
digital signature,
PayPal,
signature,
phishing
Signal Spam
Why screw around with all this spam BS and filters and rules... whatever.
It takes a few minutes and all the e-mail providers can fix this problem tomorrow.
Two words: WHITE LIST.
If you don't know what that is or how it functions do a search and read.
In a nutshell; you have a list of e-mail addresses(white list) where you allow the mail to land in your inbox. All others.... you don't even see.
Nothing to delete, filter and all those BS things people do nowdays.
If none of the spam comes in, obviously there is no money to send it. Spam can be elliminated within a week if everyone using a white-list.
Yahoo, Google and others could provide a white list function but they don't want to. You have to ask them why. It's just plain stupid.
I started a webmail service with a white-list function, but the software kinda slow. If you're interested to see how that works, check out the site: www.webmail-usa.com
It's free and no ads or promo.
Today, it costs them effectively nothing to send millions of messages. If the hit rate of someone who buys something is .01%, who cares, they still make money.
If a system were devised that charged $.0001 per email sent and ISP's played along by giving most "retail" users 10000 messages per month and large (legitimate) corporations (who sign up for some kind of authentication like DKIM) unlimited messages then the finances turn upside down and the profit for spamming goes away, or they at least get much more selective in who they send to.
Me, I can't see the arms race stopping since every technology used will have some form of hack that breaks the system (cryptology included, tell the folks from the MPAA that crypto systems are uncrackable) The solution has to lie in the financial equation.
-bill
I dont know whether domainkeys can be a solution to prevent spams when already they are being used in spam mails.
Use one of the free email addresses whenever you're filling out a form on the web. Then the spam goes to that account, and you don't have to be bothered with it.
So far we havent done that good a job well atleast i get junk mail i find usless reather often and such.
Traslation: You're still going to get spam but just from the people we do business with.
-tom
Train your users to STOP typing their email address into websites, and let them know that THEY'LL have to deal with the spam if they get it.
if this thing can find it's way around getting shut out of forums, an email version could probly be made too:(
I trashed the message, so can't corroborate my statement with evidence. Oh well.
Last time I had a Niger offer, I fwd: that to my ISP and surprise (NOT!) there was no reply.
Meanwhile, only this morning, I received another kneejerk from a known contact -- her msg with 25 addys in the To: field no doubt spawned thousands of panic follow-ons about the dread "Olympic torch" virus threat. *sigh*
Such people never learn, no matter how many times you tell them it takes only seconds to google about suspect threats.
How will receivers get that? Do they use a trusted third party? I'd imagine they need to---if the public key is in the email, the DKIM method offers no security because any spammer could create a public key and sign the message.
It should actually be no problem for ISPs to spot
sudden unusual outgoing email activity, and shut down
that connection and inform the person that they need to clean
up the machine, and only then let them get back on-line.
If ISPs were serious about this, spambots would loose their
appeal.
But there are probably enough "disinterested" ISPs out there,
that want their money no matter what goes through their cables.
However, these would probably be not Major ISPs. If
lots of SPAM comes through a particular route, the
large ISPs could block that.
Indeed Verizon at one point disrupted email from Europe
to the USA by blocking major parts of it - claiming it
as SPAM. This is of course ridiculous.
But serious efforts on the part of ISPs to stem Spam
at the source would definitively help.
As long as these companies ARE behind it and Microsoft is NOT... it's bound to be a winner. (* CHUCKLE *)
Walt
- Yahoo has uses domain keys?
-
by morningowl
May 24, 2007 8:44 AM PDT
- Then why do I still get tons of spam in my yahoo account from other yahoo accounts? As a matter of fact I get spam from alleged yahoo accounts in all of my email accounts. I have accounts with Gmail, Yahoo, Earthlink, Hotmail....The only one that seems to have limited spam is Earthlink....Gmail's filters catch a lot, but on a daily basis I have 30-50 spam messages in my Gmail spam folder...with Earthlink, I rarely get spammed at all.
-
Reply to this comment
-
-
See all 76 Comments >>