Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Begins Signing Email with DomainKeys

Posted by timothy on from the early-adopter dept.

NW writes "According to a post at IETF's MAIL-SIG list, Google has begun to sign outgoing email from Gmail with Yahoo's DomainKeys signatures. This is the first large provider of email that is actually doing so (not even Yahoo has started that yet)."

17 of 416 comments (clear)

  1. Continue the trend by synthparadox · · Score: 5, Insightful

    Google has almost everything now, why don't they make their own Anti-Spam domainkey type service?

    1. Re:Continue the trend by Russ+Nelson · · Score: 5, Insightful

      They want some hope of interoperability with other MTAs.
      -russ

      --
      Don't piss off The Angry Economist
    2. Re:Continue the trend by Hanzie · · Score: 5, Insightful
      ...why don't they make their own Anti-Spam domainkey type service

      In order for this to be the most useful, the solution needs to be usable by everybody. Yahoo has come up with a workable system, and has licensed it to everybody for free use (I await the EFF's opinion on the terms of use, but it looks pretty good to me.)

      Google has seen Yahoo's solution and deemed it 'good'. They'll use it, and traction will thus be gained. According to the article, sendmail is working on an implementation of it, for which I rejoice.

      The biggest hurdle to using this is to actually get others using it. Google has decided to throw their weight behind Yahoo's implementation. Fortunately, they've beaten the proprietary versions. I can't imagine anyone now going with a pay to use version, when this is available.

      You can also build in as much security as you want, since RSA keylength is decidable by the domain, rather than fixed.

      Hooray!

      Hanzie
      --
      ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
    3. Re:Continue the trend by Russ+Nelson · · Score: 4, Insightful

      Not true. Ebay could sign ALL email coming from Paypal and Ebay. If you got unsigned email .... it's definitely a phish. It's easy to verify the signature.
      -russ

      --
      Don't piss off The Angry Economist
    4. Re:Continue the trend by user+no.+590291 · · Score: 5, Insightful
      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped. How would emails send from ebay.com that contain no signature be handled? I've only skimmed the IETF draft, but unless all messages without signatures incur a key lookup (to see if it should be signed, then unsigned messages from ebay.com and paypal.com would get through.

      An important hole in the phishing protection is that there will quickly be domains like ebaysecurity.com, paypalinfo.org, or paypalfraudunit.com ad nauseam, the possible iterations over which can't all be preemptively registered, which could have perfectly valid DomainKeys signatures because the phishers would control the domains.

    5. Re:Continue the trend by tomhudson · · Score: 5, Insightful
      There are lots of reasons not to develop their own:
      1. The terms to license DomainKeys are very liberal
      2. Google doesn't suffer from the NIH (Not Invented Here) syndrome, and wants to show itself as being an open company
      3. This will help the tech reach the "critical mass" much sooner
      4. gmail users tend to be "early adopters", so why not offer it to those "early adopters", and signal a trend :-)
      5. Google wants to be seen as working against spammers - can you blame them?
      6. Google has other fish to fry (ie: Microsoft search), so why not adopt tech that can compete successfully with Microsoft's proposed solution, and that is already available to everyone?
    6. Re:Continue the trend by ergo98 · · Score: 5, Insightful

      But until pretty much the whole world's using DomainKeys, unsigned emails can't be dropped.

      -Your receive a message
      -You check the DNS for the key
      -It has one, but the message isn't signed. Drop the message.

      Receivers that don't check the key of course won't realize they're getting fraudulent mail, but those that do will with absolutely certainty - if Google publishes that they sign their emails, then you can be absolutely certain that unsigned emails are fakes and dump them. If the sending domain doesn't have a key then you obviously can't take advantage of this.

      An important hole in the phishing protection is that there will quickly be domains like...

      Excellent point that is very true. While this is another tool for the clueful, the clueless will happily believe derivatives, and as you mentioned they will be fully "authenticated". paypa1.com anyone?

  2. Re:Wait a minute... by Maestro4k · · Score: 5, Insightful
    • Don't get me wrong, I'm not one of them Google bashers (I don't believe the Google Desktop is spywer, for example), but in this case I would like to have an opt-out option!
    Since Gmail's a free service, I believe your opt-out mechanism is to use something else. Given this is largely an anti-spam technique (to prove an E-mail is legitimately from the domain it says it is) I can't see Google being willing to provide an opt-out on this, it would undermine the whole effort.
  3. Re:What!? by mccrew · · Score: 4, Insightful
    No, Mr. Funny Guy, it means that the mail really did originate by the user BUYYYY_CH33P_M3DZ@gmail.com and did not contain a faked From: header. But I suspect you knew that.

    All of these spam identification methods merely provide reliable authentication of the sender's domain. The rest is up to you. You still have the responsibility to maintain spam filters.

    Having reliable identification is a first step. A very important first step.

    --
    Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
  4. Re:why by Russ+Nelson · · Score: 4, Insightful

    Every email needs to come with some token of authenticity, be it a source IP address ala SPF, or cryptographic signature ala DomainKeys, or a low SpamAssassin score, or no listing in any of a number of DNSBLs. The days when you could send anybody an email from anywhere and expect them to receive and read it are long gone.
    -russ

    --
    Don't piss off The Angry Economist
  5. Re:Header Example by ornil · · Score: 4, Insightful

    And my spam filters would have killed that message dead. Too much non-human-readable text.

    Your spam filter cares about the non-readable text in the header?

  6. What about... by ottergoose · · Score: 5, Insightful

    What about all of those zombie machines out there that send spam via Outlook - since that email is going out with a valid account, it would be flagged as legit.

    Tell me where I'm wrong.

  7. Another Grand Unified Spam Solution(TM) by martin-boundary · · Score: 4, Insightful
    This type of spam solution just misses the state of the current end to end mail system. Why Google would want to push such an incomplete, half ready cryptography solution is beyond me.

    The Google engineers aren't stupid, they know that mail messages are routinely modified in transit, both the headers, which can be wrapped, rearranged, removed or added, and the MIME bodies, which can be decoded, reencoded, and even modified.

    As engineers, they also know that cryptographic signatures are designed to detect message tampering.

    Combine these two ideas and you get a system which will flag routine message modifications as forgeries, making the DomainKeys signature completely useless in practice. And yes, I've read the rfc draft, and found it wanting.

    It *would* work if there was a standard set of well defined transformations performed on emails from the sender's MUA to the recipient's MUA. So if one Gmail user sends to another Gmail user, it'll be ok, because the message won't leave Google's servers.

    But Google has no control over other people's systems. When I download mail by POP3 from my ISP, they've added SpamAssassin headers, which will simply destroy the DK cryptographic signature. When I get mail at work, they remove ZIP attachments, which destroys the DK signature. When mail passes through an older gateway, some MIME attachments can be decoded and reencoded, destroying the DK signature.

    I could go on but you see the point. Once I get the mail in my mailreader, the DK header is useless junk, and it might as well have been forged, for all the good it does. In fact, if my trust in Google is so high that I'm willing to accept the DK header even though it fails, just because Google are the only ones using it so far, I guarantee that the spammers will pick up on that real fast.

    DK is a draft, and is far from ready yet. It should be allowed to mature. Google shouldn't be deploying incomplete solutions. Unless... could this the beginning of the PHB era at Google? If so, I'm disappointed.

  8. Google also tried using Bonded Spammer for a while by Animats · · Score: 4, Insightful
    I got an e-mail from Google once that came from a Bonded Spammer (er, Sender) IP address. Unfortunately, it was a misdirected mail bounce, which is a violation of the Bonded Sender TOS. A note to Bonded Sender and Google made them stop that.

    If you sign up with one of these "trusted sender" schemes, be very careful that there's no way mail bounces, virus-generated mail, or mail via open proxies can become "trusted". Your ID will be on the mail, and you'll be blamed. Spammers are going to be targeting those sites, since they provide a bypass around some spam filters.

  9. Header Length? by __aafkqj3628 · · Score: 4, Insightful

    Is it just me, or is the length of email headers these days starting to eclipse the length of the body?

  10. Re:Patents and hypocrisy by gsasha · · Score: 4, Insightful

    The miniscule and unimportant fact that they Yahoo have thrown in an open license for it. And that everybody (including FOSS) can implement it at will.

  11. Re:This will work - differential filtering by thesp · · Score: 4, Insightful

    The problem here is that most people won't change their email provider simply for the hassle of keeping contacts up to date. People who hate hotmail's service, yet know that it would be near-impossible to ensure that everyone who may need to email them has any updated email address details. (the problem is not the same as number portability between phone networks due to the difference in routability and the 'brand recognition' part of email. For this to work, therefore, we need to divorce an email recieving account from a sending account - and very few services exist to be able to hire a secured smtp account exclusively for the purpose of sending from a 'trusted' domain.