Slashdot Mirror


Yahoo and Unilateral Anti-Spam Technology?

EatenByAGrue asks: "According to this Business Week article, Yahoo is planning on distributing a toolkit for Sendmail and other mail daemons that adds an encrypted source domain key to email headers to verify where they came from. However, critics are concerned that the scheme will be easily bypassed and that it ignores standards bodies. What does the Slashdot community (representing countless email admins, I'm sure) think of this proposal? On one hand, its a commercial enterprise dictating standard technology, on the other hand, the standards bodies have proven themselves helpless and hopeless when it comes to providing solutions."

6 of 397 comments (clear)

  1. Someone has to step forward by sirket · · Score: 5, Interesting

    I try to be as standards compliant with my mail servers as is humanly possible. Even with numerous spam filters, I get about 10 legitimate email messages a day and 100 spams. Something has got to change.

    Whether it is this technology, or another, something has got to be done. I'll implement this and hope that other admins do the same.

    -sirket

  2. Good move by 110010001000 · · Score: 5, Interesting

    I think this is a good move on Yahoo!'s part. As a developer I think a solution that is available and 50% effective is better than a solution that no one has implemented yet.

    Lets get the implementations out there in the wild and use the feedback to create real solutions!

  3. Better to use IP restrictions by kiwi_mcd · · Score: 4, Interesting

    A far beter approach (which I think I saw on Slashdot but can't remember) is to use an extension which says whether IP addresses are allowed to use a domain.

    This extension was based on DNS and basically allowed the mail server to query whether the IP address of the mailer was allowed to send on behalf of the domain.

    Yes - this would be open to IP spoofing. Perhaps this DNS extension should be combined with the Yahoo method. If Yahoo, Hotmail and a couple of other providers adopted it could have massive effect.

    To intially put live perhaps they could have an authenticated vs non-authenticated flag/filter in their web-mail client.

  4. How about this? by Boyceterous · · Score: 5, Interesting
    Instead of sending the whole email content - and with it the ability to falsify email header information, why not just send the email header only - and require the originating server to hold the email content?

    That way, there's no question where the email came from, and exactly which account sent it. Plus traffic goes way down by not passing the content all over the place.

    In addition millions of copies of the same email would not have to be held on recipient's servers, they would just sit on the originating server until received or until some time limit expired.

    I guess this would prohibit using a (ISP's) email server as a repository, you would have to download everything you wanted to keep, but hey, no more email size limits! - send me the world - if I want it, I'll come and get it!

    Could this help in the spam wars?

  5. Re:All together now! by Grishnakh · · Score: 5, Interesting

    This comment isn't insightful, it's stupid.

    So if spam is a social problem, what about auto theft? Should that also be solved by economics and/or behavior? Do you think that people shouldn't lock their cars or have alarm systems? Or that they should have push-button starters with no key required? If you believe this, you're a fool.

    How about hacking? Should that also be solved by economics and/or behavior? Should remotely-accessible computer systems not be password protected? Instead of having user accounts with passwords to keep hackers out, should we just let anyone log in who wants to, and use other means to punish people who abuse this? How about we connect our military systems to the internet in this way? Again, if you believe this, you're a fool.

    Any time a technological measure can be employed to minimize a social problem, it should be, because relying on society to proactively halt the activities of those who prey on weaknesses in the society is foolhardy because society only acts in a reactionary manner.

  6. Signed Email by Corpus_Callosum · · Score: 5, Interesting

    Nothing new needs to be invented here. What we should all be pushing for is signed email. There are many advantages to signed email, but here are the most relevant:

    (A) Signed email signs not just the message headers, but also the message body. No chance of header substitution.

    (B) Signed email associates signatures with some certificate chain and, presumably, a CRL (Certificate Revocation List). Abuses can lead to certificates being revoked.

    (C) Because of the certificate chain, there is a chain of trust. There is always SOMEONE to sue!

    (D) It is a simple measure to simply throw out any email that is not signed.

    (E) Because of esign legislation, signed emails can be considered legally binding. In other words, lies, misrepresentations, libel, etc... in signed emails provides you with grounds for prosecution in courts of law - as if the signer wrote you the document and signed his name at the bottom (and yes, they can also be used for legally binding contracts and whatnot).

    There is an issue with "Crossing the chasm" with signed email, of course. It would require a body such as AOL and/or Yahoo rising up and providing signature filters on incoming email to force such a solution into the mainstream. But once this is done, SPAM will practically dissappear. And any SPAM that comes in through signed channels can be dealt with in a satisfactory way.

    I do not believe this harms any of us, btw...

    You want privacy? The same techniques that allow you to sign email also allows you to encrypt email to your destination.

    Worried about anonymity? Certificates can be issued that authenticate an email address without full disclosure of the owner of that address (but this may not be satisfactory for stopping abuses). Anonymity and stopping SPAM may, unfortunately, be mutually exclusive goals.... Any thoughts?

    --
    The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator