Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo! Develops Anti-Spam Architecture

Posted by CowboyNeal on from the webs-of-trust dept.

prostoalex writes "Yahoo!, the owner of one of the largest e-mail systems in the world, is said to be developing a cryptographic product that will be offered freely to mail servers. 'Domain Keys,' according to the Reuters article, would require the message sender to authenticate in order for message to come across a trusted e-mail network. The idea has been around for ages, however, it required someone from the big league like Yahoo! to step in." While Yahoo! isn't the first name that comes to mind when I think of trusted email, it's still a step in the right direction.

5 of 283 comments (clear)

  1. Not necessarily by meldroc · · Score: 4, Interesting
    If they use decent encryption, cracking this scheme will be nearly impossible. If they use a digital signature algorithm such as DSA or MD5, or public key algorithms such as RSA, the computational power required to crack these keys will be far beyond the means of the richest spammers.

    Personally, I'd like to see two things.

    1. The software Yahoo! is developing should be open-source, so nobody can monopolize it. At the very minimum, the protocols involved should be well documented so open-sourcers can make their own implementations if they have to.

    2. Give this software a few months to propogate to a good chunk of the ISPs out there. Then, Yahoo! should announce that they will NOT accept any email that is not signed with this software. I'll guarantee that everyone will be using this new protocol in a matter of weeks, since no ISP wants customers screaming because they can't get mail through to Yahoo! accounts.

    --

    Meldroc, Waster of Electrons
  2. Broken already? by CaptainSuperBoy · · Score: 4, Interesting

    One guy's take on why it won't work

  3. identity based antispam is censorship tool by esj+at+harvee · · Score: 4, Interesting

    a thing to remember is that if someone can prevent a spammer from communicating based on identity (or lack thereof), you can be silenced as well.

    This is why I have put my efforts into sender-pay systems and specifically the camram project. We invite you to please come and join us in the effort to build a decentralized, user-friendly, freedom-of-speech supporting antispam system and hit spammers in the pocketbook.

    camram antique documentation (too busy writing code to write new documentation)

  4. Re:Not sure if I understand it right by RevMike · · Score: 4, Interesting

    How do they propose to keep the encrypted private key secure? I did RTFA but couldn't find any explanation of how the encrypted version of the private key could not be spoofed since it is part of the message header.

    If the spammer...or anyone for that matter is spoofing a header anyway, it shouldn't be difficult to find out the encrypted private key, since it is sent out with every message originating from the domain.

    I could, presumably send an email from my secure email address to a non-existent email address of the domain whose encrypted private key I wish to find out: eg bounce@email.com. The bounced message should have it in the header.

    The authentication token would likely be some sort of hash of the message contents. In that way, a token is only valid for that particular message. The sender would generate a checksum of the message, encrypt it with a private key, then transmit the encrypted checksum as the token. The receiver would generate the same hash of the message contents, and decrypt the token with the public key. If the decrypted checksum equals the generated checksum, then one can be confident that the message came from the server it said it came from.

  5. Yahoo beats eariler proposals? I hope not. by kerubi · · Score: 4, Interesting

    Would you rather choose a Yahoo product over an open standard that is under development? I'm speaking of AMTP, of course. (See AMTP author's site).

    Yahoo's size doesn't give that much weight to their proposal. Yahoo's email is not used in business to business communication (do not count hot dog stands as businesses), so businesses can just aswell block everything that originates from *@yahoo.com if it is not directed to their consumer service department.

    Also, reverse mx records provide much of the same benefits with minimal alterations needed to current email infrastructure. One DNS record added and small change in MTA software.

    If Yahoo would really like to do a service to the internet community, they should rather consider looking AMTP and reverse mx records.

    --
    I joined two users too late.