Promising antispam technique gets nod

Spammers, phishers and other Internet bottom-feeders, be warned.

A key Internet standards body gave preliminary approval on Tuesday to a powerful technology designed to detect and block fake e-mail messages. It's called DomainKeys Identified Mail, and it promises to give Internet users the best chance so far of stanching the seemingly endless flow of fraudulent junk e-mail.

Yahoo, Cisco Systems, Sendmail and PGP Corporation are behind the push for DomainKeys, which the companies said in a joint statement will provide "businesses with heightened brand protection by providing message authentication, verification and traceability to help determine whether a message is legitimate."

The draft standard that the Internet Engineering Task Force adopted is more promising than most other anti-spam and antiphishing technologies because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.

The way it works is straightforward: if PayPal sends an e-mail notice to customers about their accounts, the company's outgoing mail server will quietly insert a digital signature into the legitimate message. (Because the signature is embedded in the message headers, it's generally not visible to human readers.)

Let's say the recipient has a Yahoo Mail address. Yahoo's mail servers can automatically check PayPal's Internet domain name listing to verify that the digital signature is valid and the message truly originated at Paypal.com. Signatures by authorized third parties are permitted as well, which is useful for outsourced e-mail.

If the signature doesn't check out, the message is probably spam--or a phishing attack designed to try to fool someone into divulging their details about their PayPal account. While the DomainKeys standard doesn't actually specify that messages with invalid signatures should be flagged as junk, Internet service providers are likely to do just that.

DomainKeys explained

DomainKeys works by embedding a digital signature in the headers of an outgoing e-mail message. If the cryptographically secure signature checks out, the message can be delivered as usual. Otherwise, it can be flagged as spam.

Here's an example of an embedded DomainKeys header:

DKIM-Signature a=rsa-sha1; q=dns;
d=example.com;
i=user@eng.example.com;
s=jun2005.eng; c=relaxed/simple;
t=1117574938; x=1118006938;
h=from:to:subject:date;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
av+yuU4zGeeruD00lszZVoG4ZHRNiYzR

All of these steps represent a belated effort to fix a fundamental problem with Internet e-mail: it was designed in a far more innocent era and came with little built-in security. (An additional benefit of fixing e-mail is that, in addition to targeting phishing attacks, DomainKeys can also help in identifying the kind of spoofed e-mail that led Engadget to falsely report last week that Apple's iPhone would be delayed.)

In the long run, DomainKeys is more promising than existing antispam and antiphishing technologies, which rely on techniques like assembling a "blacklist" of known fraudsters or detecting such messages by trying to identify common characteristics.

But spammers have invented increasingly creative counterattacks, such as inserting image advertisements in the text of messages and appending excerpts from news articles and fiction works in an attempt to defeat the popular antispam method of Bayseian filtering. That kind of counterattack is called Bayesian poisoning.

DomainKeys represents a radical shift in the arms race between phishers, in particular, and Internet users: it's effectively a tactical nuclear attack that can't be countered. The digital signatures, which use public key cryptography, are viewed as unforgeable.

But the DomainKeys approach does suffer from one serious, short-term problem: it's only effective if both the sender and recipient's mail systems are upgraded to support the standard.

Also, it does not do anything to flag junk e-mail sent by a legitimate company, or identify spam sent from a domain name with a true DomainKeys record. By restricting spammers to a limited set of domain names, however, Yahoo believes "a persistent reputation profile can be established for that sending domain" that can be updated over time and posted publicly.

Other advocates so far include antispam vendors and frequent e-mail senders: AOL, EarthLink, IBM, VeriSign, IronPort Systems, Cox Communications and Trend Micro.

MediaPost puts DomainKey adoption at 48 percent among large online retailers. But that doesn't include large ones such as Dell, Wal-Mart Stores, Target, Gap, Macy's and Circuit City, even though they would likely benefit from being able to send authenticated e-mail. Yahoo, on the other hand, has used earlier versions of DomainKeys to sign all outgoing e-mail since 2004.

The Internet Engineering Task Force's preliminary approval does make DomainKeys, or DKIM, an official proposed standard. But because it's the only technology that has achieved that status--Microsoft's competing Sender ID idea has not--it has a visible edge.

In a blog posting on Tuesday, Yahoo engineer Mark Delany said: "Everything hinges on wide-spread adoption. Now that DKIM is on Standards Track, the hurdle to global adoption has been greatly reduced, but not cleared. I joked earlier that someone might not have heard of DKIM, but the email industry is so big and diverse that evangelizing, education and encouragement are needed to ensure the success of DKIM."

While the Sender ID program is similar in principle to DomainKeys, its acceptance has been limited because Microsoft initially did not agree to license patents in ways that are compatible with GNU General Public License. For its part, Yahoo has agreed to open up a number of its pending and granted patents for use with DomainKeys.

DomainKeys Identified Mail is a reworked and enhanced version of the DomainKeys concept initially invented by Yahoo. The newer version supports features like greater security and digital signatures by authorized third parties. A list of frequently asked questions describes how to configure an e-mail server to use DomainKeys.

[hollasch]

Not a cure-all by any means

This method might tell me that email from bob@aol.com really came from AOL, but it doesn't mean that Bob can't send me spam. Worse, will mail from my domain be automatically ignored because I don't own a big commercial domain? Given that the web is much more than large interconnected corporations, I don't see this affecting much more (hopefully) than phishing attacks. Not bad as far as that goes, I guess.

[ferricoxide]

Personal Domans Should Be Fine

<bquote>Worse, will mail from my domain be automatically ignored because I don't own a big commercial domain?</bquote>
Unless it gets to the point that sites only accept mail form DK-enabled sites, you won't have a problem. Even if it comes to that, there are plenty of "How-To's" on the net for setting up DK for your domains (if you're clued enough to be able to run your own mail server, you should be clued enough to figure out how to set up DK).

That said, it should be interesting to see what kind of load key-verification will put on a mail system.

-tom

[Stating]

Ron Jeremy Agrees

My new best buddy, Ron Jeremy (shhh, did you here how BIG he was), who emails me at least 5 times a day, agrees that sender authentication is the cure for "performance problems". Wanna buy a Rolex watch cheap?

[njondet]

Microsoft sides with French approach

It seems that Microsoft has chosen the more traditional "blacklist" approach favoured by the new anti-spam platform sponsored by the French government, known as
Signal Spam

[MSSlayer]

Blacklists are the worst way to go

For the simple reason they can never be complete.

Whitelists are better, even though they have the potential of annoying legit users.

[webkruzer1]

Spam can be gone tomorrow... if....

Ya know... this is sooo stupid.
Why screw around with all this spam BS and filters and rules... whatever.
It takes a few minutes and all the e-mail providers can fix this problem tomorrow.
Two words: WHITE LIST.

If you don't know what that is or how it functions do a search and read.
In a nutshell; you have a list of e-mail addresses(white list) where you allow the mail to land in your inbox. All others.... you don't even see.
Nothing to delete, filter and all those BS things people do nowdays.

If none of the spam comes in, obviously there is no money to send it. Spam can be elliminated within a week if everyone using a white-list.

Yahoo, Google and others could provide a white list function but they don't want to. You have to ask them why. It's just plain stupid.

I started a webmail service with a white-list function, but the software kinda slow. If you're interested to see how that works, check out the site: www.webmail-usa.com
It's free and no ads or promo.

[aemarques]

Hotmail already has a white list function

Check in the anti-spam controls. You can check them so you only receive mail from your contact list - a "white list", really!

[alan_06]

About white list...

>> Yahoo, Google and others could provide a
>> white list function but they don't want to. >> You have to ask them why. It's just plain
stupid.
No they're not stupid. White list works OK for communicating with 'Friends and family'. But what about commercial websites, and 'contact us' emails you find in most of the websites?

By using digitial signature I think they're trying to fix the problem at the root itself, which is good.

[ferricoxide]

You've Got To Be Kidding...

Whitelists assume an out of band method for communicating email addresses prior to first send. Otherwise, initial communications will simply be lost to the ether. Not good. Whitelists simply aren't practical for any but the most casual of mail users. This is particularly true for business email.

-tom

[rcrusoe]

Whitelisting just doesn't work

Using whitelists may be ok for individuals who don't care if their legitimate mail isn't delivered but it doesn't work for businesses.

Over 75% of the mail we receive is one time messages from customers. We certainly don't want them to jump through hoops if they are trying to reach the order desk or customer service.

And the majority of the mail we send out are automated order confirmations or acknowledgments.

Therefore, if a customer is using an ISP or system that requires some kind of response before delivering those messages, then they just won't receive their mail. There is no standard way of responding to a whitelist so we can't automate the process.

[kenzrw]

White lists are too restrictive

My historical society has a site with our email address on it. We want and encourage people to email us to join, send us email messages with news, opinions, etc. If we had a white list with only known addresses, how could we then get all the legitimate email inquiries we'd miss if they never reached out inbox - I don't have these stranger's email addresses to add to a white list so I'd never see those inquires. Do they have to send me a postcard first with their email address on it so I can add it to the white list?

[Neville Bartos]

err

White List is a bad idea. What about that long lost friend who emails you, and you don't have them in your "White List" or address book.

I use GMail, and spam is pretty much non-existent. Maybe 1 in a 200 spam emails will get through. Hotmail on the other hand, is 2nd grade (as are most Microsoft products). I still have an old Hotmail account, and it just fills up with spam constantly.

If spam bothers you, get a GMail account. www.gmail.com

[w_jackson]

The answer will never be technology

The answer to spam lies in making the financials unattractive to the spammers.

Today, it costs them effectively nothing to send millions of messages. If the hit rate of someone who buys something is .01%, who cares, they still make money.

If a system were devised that charged $.0001 per email sent and ISP's played along by giving most "retail" users 10000 messages per month and large (legitimate) corporations (who sign up for some kind of authentication like DKIM) unlimited messages then the finances turn upside down and the profit for spamming goes away, or they at least get much more selective in who they send to.


Me, I can't see the arms race stopping since every technology used will have some form of hack that breaks the system (cryptology included, tell the folks from the MPAA that crypto systems are uncrackable) The solution has to lie in the financial equation.


-bill

[Sentinel]

And who gets the money?

So who will be in charge of collecting all the money income from sent messages? This idea is not new, and it was, if I remember correctly, Bill Gates' proposed solution for spam a few years ago. The reason why this solution isn't widely accepted is because of two reasons:

1. People are used to free email. Not many people are willing to pay for e-mail, even if it is a fraction of a cent. Besides, if email providers were to start charging for email, the price would undoubtedtly increase with time. In time, it would come to be like snail mail, where you might spend $7 for a few stamps.

2. So who does the money go to? Microsoft? Yahoo? Both? The problem with charging for one of the basic internet services is that, the most successful company gets to call the shots. A chance for monopoly exists. Such a monopoly could compromise the open nature of the Internet.

At least that's the way I see it.

[i_am_still_wade]

One problem

Most of the spam sent today is by spambots. Therefore, your solution would punish the innocent (or people foolish enough not to have proper protection). We cannot do that.

[Lawrence Ricci]

What About Robots?

I do not see how this will help stop SPAM from user PC's co-opted by malware trojans. It seems what this does is authenticate email from 'known good' domains- but AOL and Roardrunner are 'known good' domains, are they not?

[ferricoxide]

Depends on The Mail Administrators

Generally, robots either aren't going to relay through an ISPs mail server, or, if they do, they won't have the authentication credentials necessary to do so. As such, even if mails originate from my network address space or purport to be from my domain, if they don't go through my mail servers, they won't have the stamp of validity to prove that they came from "known good domains".

-tom

[tomal_bhai]

Domainkeys can be faked

I receive tens of junk mails that has flagged as "not forged" in my junk mail folder of my yahoo mail account.

I dont know whether domainkeys can be a solution to prevent spams when already they are being used in spam mails.

[zoredache]

domain keys isn't really anti-spam

Domain keys authenticates that a email came from a domain and was not forged.

Once Domainkeys is more widely adopted then people will be able to easily build blacklists or white lists that cannot be bypassed since forged email will be a lot more difficult.

We are still in phase 1, trying to get a larger percentage of the Internet to use Domainkeys so the system can become useful.

Right now you can only use it to be certain that a message is forged.

[Kings X Rocks!]

Spam is payback...

Spam is payback for "publishing" your email address on some website...who then either sold it or had it harvested.

Use one of the free email addresses whenever you're filling out a form on the web. Then the spam goes to that account, and you don't have to be bothered with it.

[Renegade Knight]

Nice Theory

However I've had less spam on my "Fake" email account that I use for exactly the purpose you mention and more on my personal, "Friends and family email" that I only use for that purpose.

Plus I've created a couple of email accounts that never were used but which filled up with spam.

You may make your email address more likely to be spammed but it appears that there is more to it than just that.

[ferricoxide]

That's Rather Thoughtful

That shows the kind of neanderthal thought processes that a rapist that defends himself with, "she was askin' for it, dressed like that," would use.

-tom

[gigogogogown]

Addresses are harvested for spam

It's not just on websites where email addresses are harvested.
There are plenty of infected Windows PCs running malware that
harvests email addresses from address books, mail files, etc. and
spreads them around. All you have to do is have your email address
in such a person's address book, or merely have a message in their
mailbox file for it to be harvested for spam.

[jpsabo]

Not always

Harvesting email addresses from hacked computers has to be as significant a factor as scraping web pages.

[MSSlayer]

Exactly

I can count on my fingers the pieces of spam I got this year.

I use a Hotmail account to use to sign up for almost everything. I figure MS deserves to hold my spam.

[wildchild_plasma_gyro]

Taing this model and making it more universal

Ok so the world is developing ever more communication standards and technologies so really we need to take this kind of model any realy iron it out over the years so that it might fit for all/most of the problems we have from communication.
So far we havent done that good a job well atleast i get junk mail i find usless reather often and such.

[w_jackson]

back to finances

The thing about junk mail is that you don't get the kinds of things you get in spam.

It's much more narrowly targeted to someone that at least has a possible interest in the category. I don't give a rats a** about fake rolexes (nor real ones either, but that's another story) and would never buy one. No bulk mailing (of paper) would ever target me for such stuff, it costs too much.

BTW, junk mail does to some extent subsidize the cost of other first class mail. It's delivered pre-sorted to the PO which costs considerably less than the regular mail. So to some extend, junkmail is GOOD for the people who use other fist class mail services. Whereas spam is just bad for everyone.

Again, no technology solution will ever work (in my mind). The only way to win is to wage a financial war.

[thedreaming]

What leaves a bad taste in my mouth...

"Signatures by authorized third parties are permitted as well, which is useful for outsourced e-mail."

Traslation: You're still going to get spam but just from the people we do business with.

[ferricoxide]

No Mention of SPF?

How is DomainKeys the first standards track solution? SPF got on that track a couple of years ago and got a formal RFC published in April 2006 (RFC 4408). DomainKeys didn't get a published RFC until September of last year (RFC 4686).

-tom

[zoredache]

SPF (AKA Sender ID) was mentioned.

...Microsoft's competing Sender ID idea has not--it has a visible edge...

It was submitted as an RFC, but it hasn't been approved even in a preliminary fashion.

[gefitz]

Spam is a BEHAVIORAL problem...

If you don't GIVE your address out to every tom-dick-and-harry website that asks for it, you will NOT get spam (except on the extremely rare occasion that a spam server happens to do a random-alphabet send to everyone on your mail server...)

Train your users to STOP typing their email address into websites, and let them know that THEY'LL have to deal with the spam if they get it.

[ddesy]

Not quite so....

In many cases, people who never give out their addresses to websites get spam. It isn't rare at all. If you have an e-mail address on a popular domain name, rest assured you will get spam.

[LuvThatCO2]

Um, No.

I'm sorry, but you have no clue what you're talking about. A lot of spam is generated by infected machines. If one of your friends/coworkers/aquaintances is infected and you send them an email, you will end up on a spam list. The spammer's robot programs will sift through the infected computer's files looking for email addresses. I have quite a few email addresses in use that are not public knowlege - they're used for data exchange. And they get spam frequently because of this.

Also, spammers try all combinations of email addresses hoping to get real ones. Why not - email is basically free to send. Especially when you're sending it from a compromised machine. Several times now I've created email addresses and had spam in them before I ever gave the address out.

While its not wise by any means to give out your email to anyone who asks, its certainly not the only way for the email address to get out. And once it gets out, it's out for good!

[C_G_K]

There is always a workaround

The spammers will find some way around this I'm sure. That is not to say that it won't have an impact. No security measure is completely foolproof.

[Ngallendou]

So, I take a legitimate message and extract...

... the digital signature and put it into my fraudulent message...

[PJB0222]

Read the standard

The signature includes a message hash. You cannot harvest a signature and re-use.

[ralahinn1]

Meet the mother of all spambots

http://www.botmaster.net/more1/
if this thing can find it's way around getting shut out of forums, an email version could probly be made too:(

[NoVista]

Email rec'd to no To: field?

Last week, I had Yet Another of the Nigerian scam messages. OE showed nothing in the To: file and looking at source, I could identify nothing to explain why =I= received it.

I trashed the message, so can't corroborate my statement with evidence. Oh well.

Last time I had a Niger offer, I fwd: that to my ISP and surprise (NOT!) there was no reply.

Meanwhile, only this morning, I received another kneejerk from a known contact -- her msg with 25 addys in the To: field no doubt spawned thousands of panic follow-ons about the dread "Olympic torch" virus threat. *sigh*

Such people never learn, no matter how many times you tell them it takes only seconds to google about suspect threats.

[good_nicks_taken]

Nigerian scams

Niger is not Nigeria. Why should your ISP reply to you sending them a copy of spam you received? Most likely they're too busy dealing the spam being sent by your fellow infected user's PC's than to have time to hold your hand and tell you how awful it is that you received a piece of 419 spam. Did they promise to block all spam from ever reaching you? Had you saved the message for examination, I'm sure your address would appear somewhere in one of the received headers. Send your friends to www.breakthechain.org and www.snopes.com

[ben332211]

Envelope-To

There are other headers such as "BCC:" and "Envelope-To:" that act in the same way at the to field from your end, so if you were viewing the full headers, and not just the shortened ones often shown in mail clients, then it would have been there somewhere, althoguth i tmight have been hard to spot.

The nature of email and the internet means that spam and other threads will always be there in some form.. we can only aim to reduce it's impact on our day to day lives. :)

[bluemist9999]

How do receivers get the sender's public key?

In order to verify the signature, receivers need to have the sender's public key before they receive any email from that sender.

How will receivers get that? Do they use a trusted third party? I'd imagine they need to---if the public key is in the email, the DKIM method offers no security because any spammer could create a public key and sign the message.

[zoredache]

RE: How do receivers get public key?

The public key is retrieved via DNS from the zone that matches the senders domain.

The assumption is that a spammer looking to forge the from would not be able to change the DNS record for a domain.

[cnetuser234]

ISPs could be more proactive

A lot of spam comes from infected machines.
It should actually be no problem for ISPs to spot
sudden unusual outgoing email activity, and shut down
that connection and inform the person that they need to clean
up the machine, and only then let them get back on-line.
If ISPs were serious about this, spambots would loose their
appeal.
But there are probably enough "disinterested" ISPs out there,
that want their money no matter what goes through their cables.
However, these would probably be not Major ISPs. If
lots of SPAM comes through a particular route, the
large ISPs could block that.
Indeed Verizon at one point disrupted email from Europe
to the USA by blocking major parts of it - claiming it
as SPAM. This is of course ridiculous.
But serious efforts on the part of ISPs to stem Spam
at the source would definitively help.

[good_nicks_taken]

ISPs should be more proactive

If the ISP's simply blocked users from connecting to any port 25 outside of their own network a lot of spam would be forced to other channels. ISP's like Comcast, Charter, Road Runner refuse to block that because they don't want to deal with the small number of users who need to have the block listed to connect to their own outside SMTP.

[wbenton]

As long as...

Yahoo, Cisco Systems, Sendmail and PGP Corporation

As long as these companies ARE behind it and Microsoft is NOT... it's bound to be a winner. (* CHUCKLE *)

Walt

[zoredache]

RE: As long as...

}} As long as these companies ARE behind it and Microsoft is NOT.

I disagree. Until there is a native implementation in Microsoft Exchange that can be enabled in a few clicks we Domain Keys won't go too far.

Too many enterprise live and die by their exchange servers.

[morningowl]

Yahoo has uses domain keys?

Then why do I still get tons of spam in my yahoo account from other yahoo accounts? As a matter of fact I get spam from alleged yahoo accounts in all of my email accounts. I have accounts with Gmail, Yahoo, Earthlink, Hotmail....The only one that seems to have limited spam is Earthlink....Gmail's filters catch a lot, but on a daily basis I have 30-50 spam messages in my Gmail spam folder...with Earthlink, I rarely get spammed at all.