Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo and Unilateral Anti-Spam Technology?

Posted by Cliff on from the nonstandard-headers dept.

EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."

12 of 397 comments (clear)

  1. police will be happy by rekrutacja · · Score: 5, Insightful

    easy email tracking system will be gladly welcomed by police and other agencies...

    --
    This Is Not a Sig
  2. Standards by rm+-rf+$HOME · · Score: 5, Insightful
    As much as we don't like to admit that this is the case, but companies making unilateral decisions and moving forward with them is often how standards are made.

    Web folk always moan about MSIE's poor standards complience, for instance, but forget that CSS/Text came from them -- Netscape was pushing CSS/JavaScript at the time. Now, one of those is a standard, and the other is dead.

    Ultimitely, either people will like Yahoo's idea and adopt it and it will eventually become a new standard, or it will be ignored by everyone else and forgotten. Only time will tell.

  3. It's not a matter of A or B by Genghis9 · · Score: 5, Insightful

    The extra key could be used by anybody who wants to, and ignored by the rest. And their implementation is open-source, so it doesn't look like a way of making an end-run past other ISPs. And since many spam messages come from fake Yahoo email id's, this would be a great way to immediately filter out those ones: if it says Yahoo but doesn't carry a key-->SPAM bin

    I like the idea of a major player getting on with it and DOING something.

    Would we rather have MS dictating an anti-spam standard? You can be sure such a beast would be a lot less benign than Yahoo's proposal

  4. It's bad if you have a different by eclectro · · Score: 5, Insightful


    "From" address from what your SMTP server is, in which case I don't see how it could work for you.

    This may put a lot of travellers out in the cold.

    A solution is badly needed, but it has to work for everybody.

    --
    Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  5. When de jure standards fail... by eyegone · · Score: 4, Insightful

    ...de facto standards emerge. One need look no further than POSIX/SUS and GNU/Linux for an example.

    --
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
  6. Total overkill by tonyray · · Score: 5, Insightful

    It would be much simpler to add a record type to DNS servers to identify **outgoing** mail servers. Email proxies, where 60% of all spam comes from, would be immediately eliminated. Spammers with fixed servers and addresses are easily taken care of by the RBLs. Why introduce something that is more complicated and less reliable?

  7. Re:All together now! by MrRTFM · · Score: 5, Insightful

    Yes but we will never have a social solution when all it takes is 0.000002% of the worlds population to be spammers.

    There's always going to be pricks who will do anything for a buck.

    --
    You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
  8. Re:Yahoo are spam nazis by the+eric+conspiracy · · Score: 4, Insightful

    if this new system lets them drop their damn
    overbearing blacklists, I'm all for it.

    And people want to sue blackhole sites like MAPS out of business. THAT would mean every little mom and pop would maintain their OWN blacklist. Good luck getting off 69,105 blacklists. Your IP and domain would become useless.

    I don't know how good the Yahoo system will be, but all the more power to them. At least they are trying.

  9. This is kind of sad.. by msimm · · Score: 4, Insightful

    Especially considering how promising the OSS model is, why can't we create a solution? We talk about the complexity of the problem, the importance of not breaking standards, etc. Who FUCKING cares if I can't check my email because it totally FUCKING BURIED in unsolicited junk...

    I don't mean to come off as the thundering asshole, but this situation has grown so slowly its like watching a car crash spread out over the past 15 YEARS.

    Please, experiment. Break things. I don't give a shit, but don't let us sit here moaning like helpless children while spammers sit back (laugh) and rake in MILLIONS.

    Get fucking aggressive.

    And if I hear one more idiot talk about how you have to cut spammers off by not buying their products I'm going to cut him off at the knees! If that would work you and Noah could be shooting dice right now and we'd have a hell of a lot less to worry about.

    Programers still know how to experiment, right?

    --
    Quack, quack.
  10. Re:Signed Email by cheezit · · Score: 4, Insightful

    Most of your reasons are in fact why signed email WON'T work.
    B. CRLs don't scale. Period. There's a reason why PKIs hardly ever get past 100K users.
    C. Someone to sue...only in the US is that an attractive feature.
    D. Sure, but most users are unlikely to get savvy enough to understand the distinction. The proposed scheme takes that decision out of the user's hand.
    E. Sure, for that .001% of transactions where conventional forms of contract aren't good enough. Most people wouldn't sign a binding contract without legal advice, at which point they have access to a notary, etc., and the signature feature on email has no value.

    My take is that this is a problem that is hard enough to address even partially---adding the burden of a massive worldwide PKI deployment would make it impossible. Verisign or Thawte would love it.

    --
    Premature optimization is the root of all evil
  11. Yahoo might be doing us a big favor by 0x0d0a · · Score: 4, Insightful

    I don't believe this is proprietary. Yahoo is releasing a patch for Sendmail. AFAI can tell, while they're funding the dev work (because the spam rate is killing them), they aren't trying to milk this for more money.

    One major problem with standards groups is that people like Verisign are on most security standards groups. Verisign has extremely strong motivations to ensure that email uses a Web-like interface, where one purchases an (expiring) Verisign cert for each email server one runs. They have strong incentive to block competing solutions. If you want to come out with a good system that prevents existing folks from milking a market, both industry consortiums and standards groups are pretty much useless. You need to do what happened with PNG -- have a bunch of talented, aggravated engineers sit down, write up a technically good spec, and put out reference code. Later on, let standards committees follow what's in place.

    I can't figure out why replay attacks are an issue. I, personally, would suggest, off the cuff, including any To: or CC: lines in the message body (just for signing purposes, not actually sending either header in the body). This way, a replay attack would only allow resending the same email to the same destination from the same source. It's also pretty easy to include a timestamp, if folks are *really* concerned about replays.

    Yahoo is pretty much doing what ESR and RMS have been hoping for for years -- contributing to open source systems because there's an itch that needs scratching.

    Paul Vixie (disclaimer -- I don't move in his circles, and what I know about him is entirely secondhand) seems to be involved a great deal in politics, rather than technology. He leaves a bit of the same bitter tang in the mouth that Verisign does. He is, apparently, the source of at least some of the IETF objections. Vixie has also made a number of antispam statements that I tend to disagree with, including advocating mass blocking of mail servers on home email connections by netblock.

    --
    May we never see th
  12. Missing the big picture by dnoyeb · · Score: 5, Insightful

    First let me say I agree with your premise. I have never received an anonymous delivery, email or otherwise, that I desired.
    But let me show the fallicy of yahoo's actions.

    Yahoos step 1 is to reject forged headers. Forged headers was just made illegal by the Bush administration IIRC. I completely approve.
    Yahoos step 2 is to force a signature on every email by the server. Interestingly, Step 2 removes the need for step 1 and makes you wonder if step 2 is their real desire. Note that a solid step 1 also removes the need for step 2, given that open relays are shut down.

    This is where I disapprove.

    This proposes the same problem as DRM. Who controls which signatures are accepted? Once again we are right back with Verisign, et al. So unless your server has a PURCHASED KEY from verisign, or the like, your server won't be sending email to yahoo or any of the ISPs that adopt this.

    I promise they won't be suggesting PGP either And so the spiral begins. Yahoo sells the rights to the certificates it will accept on a yearly basis. Verisign subsells this right in the form of the infamous certificate chain.

    So what if the code is free, the certificates are not!