Yahoo Proposes Anti-Spam Standard For Internet

When it comes to proposed technical solutions to spam, I'm a pessimist in general and confirmed skeptic at heart. Such proposals, in their attempts to make spamming impossible, invariably force everyone to change all their mailing software, dooming any practical prospects of the plan.

However, "invariably" could be too strong a word. For example, Yahoo, which claims to be the largest mail provider in the U.S., recently proposed a domain-level authentication system to combat spam. What's interesting here is its conscious attempt not to overreach. The company is still being circumspect in releasing details of its "Domain Keys" system publicly because the proposal is still being formulated, but officials did share the substance of the plan.

What would SMTP authentication accomplish? It wouldn't, in and of itself, prevent someone from spamming. What it would do is allow spammers to be identified and effectively blacklisted.

Authentication systems usually involve digital certificates, perhaps even for each user. For e-mail the sender might sign each message with his or her private key, and after looking up the sender's public key in some publicly-available system, usually a certificate authority, the recipient could confirm that the message was in fact signed by the person claiming to be the sender.

Yahoo's Domain Keys proposal has two interesting innovations that make it different and intriguing: First, authentication is only performed on a domain level, not the user level.

For example, in a world running the Domain Keys system if you get a message from [email protected], you could confirm that it really did come from hotmail.com. That's well and good in the case of Hotmail, since it's safe to assume that Hotmail has enough internal authentication that the sending user really was wacka-wacka.

But what about a message from [email protected]? You may be able to confirm that it really came from fraunkensteen.com, but did it really come from igor? This actually could be an issue if mail.fraunkensteen.com isn't very picky about who it accepts SMTP connections from. Some have suggested that spammers could simply move to a series of new, cheap throwaway domains as old ones become blacklisted. This is a reasonable concern, but I'm not sure how serious it is.

The other interesting innovation with Yahoo's plan is that no fancy and expensive certificate authorities are involved. Instead, the domain's public key is stored in DNS, where everyone can get at it fairly easily to check signatures.

Domain Keys would also present a problem to users (like me) who use a From: address with a domain different that the one for the SMTP server sending the message. Because the From: address is the most obvious spot to check for domain authentication, it's the one used by Domain Keys (at least in the initial proposal) for recipients to check.

Certainly, I agree that if you have to pick one address to check, From: is the only one to pick. Still, many users have From: addresses with a different domain than their SMTP server. Domain Keys would cause problems, at least in the short term, for folks that travels and for users in Internet cafes. No doubt it would burden administrators who will have to make sure that client systems are using the right SMTP server to correspond to their From: address, something that doesn't matter now.