Slashdot Mirror
Yahoo! Mail Now Using Domain Keys To Fight Spam
scubacuda points out this CNET story, writing "In addition to beefing up its storage (100MB -> 250MB), Yahoo! Mail has implemented Domain Keys to find spam. The idea is simple: give email providers a way to verify the domain and integrity of the messages sent. Sendmail, Inc. has released an open source implementation of the Yahoo! DomainKeys specification for testing on the Internet and is actively seeking participants and feedback for its Pilot Program. Yahoo! has submitted the DomainKeys framework as an Internet Draft, titled 'draft-delany-domainkeys-base-01.txt,' for publication with the IETF (Internet Engineering Task Force). The patent license agreement can be found here."
Can't spammers just get verified domains to send their mail from?
This is exactly what we need, the really big companies can to a great deal to prevnt spam from being profitable. It all makes sense. If the major e-mail providers (Hotmail, Yahoo, Gmail etc.) find a way to prevent spam from reaching their inboxes, the number of people who recieve a certain spam message will be drasticly cut. It's also these big companies that have to pay the most for spam I think, in bandwidth and storage costs etc. I just hope the big players can descide on a single standard so we can see some action instead of just talk talk talk.
Martin
Well so far, the patent on Domain Keys *seems* pretty benign. All they seem to want is that if you implement it, Yahoo! wants the free advertising and their trademark to stay intact.
The point that worries me is that Yahoo still retain the right to alter this agreement at any time and (heaven forbid) change it to force licence payments.
I fear it may be used as a submarine patent.
Damn shame.
READY.
PRINT ""+-0
GMail used it first.
l ?t id=111&tid=217&tid=95&tid=1
http://it.slashdot.org/it/04/10/18/0236201.shtm
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;
Read the licence , seems pretty decent at first glance , they just want acknoledgement of their IP and the licence is p[erpetual so they can't revoke it unless you break their terms
Comment removed based on user account deletion
If it gets accepted as an RFC standard, I think we all deserve a royalty free patent grant :)
... (*wishful thinking*)
... not just Domain public keys :)
Or even better a patent grant for code under "OSI approved" licenses
Seems to be a very nice Public key based system using standard RSA algorithm too . But I still want my ogg streams over DNS
Quidquid latine dictum sit, altum videtur
Due to the way the can spam act works with the opt-out links, this doesn't really stop spam at all. Recent research pointed out that the majority of domainkey users so far have been spammers, because it makes it more likely they pass the spam filters. Its really no better then the techniques used now, especially because a large amount of spam isn't using spoofed addresses, but completely valid ones.
The problem with spam is slowing it down, whats really needed is a CPU intensive solution like the hashcash suggestion (like which has been suggested before), that way mass spammers can be differentiated from different users. While mailing lists may suffer due to it, with the addition of a standard mailing list protocol where you email a certain message to your mailing server, they send a message to the mailing list to subscribe on behalf of you, and for your account prevent the need to use hashcash.
The only way this could help spam is if Microsoft started charging for emails (which they have wanted to do for a while now).
After all, I'm using an entire 1% of my current 100MB allowance. That extra 150 will really come in handy.
My other processor is big-endian.
As I understand it, the biggest benefit of domainkeys is not the person that is receiving the mail from a dk-enabled domain, but rather the dk-enabled domain stops seeing so many bounces coming back from people claiming to be them.
Instead, when a spammer tries to send a dk-enabled recipient, faking a dk-enabled domain, the recipients MTA rejects immediately, rather than bouncing, which would go to the wrong place.
Domainkeys don't mean "not spam". They mean "this MTA is authorized to send on our behalf". That MTA may well be a spam-friendly MTA.
Like nay good quick fix, this is "good idea" from the pre-history of fact.
Spam sent from zombie (pwned) machines and open relays will all come from valid domains.
Forged from locations *also* can come from valid domains.
For an idea to be good it has to be "simple" _AND_ "effective".
This will just encourage less traceability and cut of legitimate and careful operators.
Consider I have a domin, I do tiny bits of email, my *reverse* domain is going to show up as bunch-of-numbers-provider-tld, which won't match my sendings unless I pay lots and lots of money to my provider (Ok, I'll say it, "Comcast") for a business account wiht a proper inverse DNS entry.
So this is shaft common people and encourage virus/trojan writers and open the door for profiteering.
Yea... that'll help a hell of a lot.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
I prediced when they first came up with this idea, that owners of large numbers of "free" mailboxes would promote this idea wrapping themselves in the flag of fighting spam - but later they will turn it around and use it to bill companies for access to those mailboxes.
How? you ask (or not)
1. Company BigBox declares "All mail destined for our free mail accts must use Yahoo! Domain Keys (TM, R, SM, Patent #suckitlosers)"
2. Their mail servers count the number of emails signed by company X. (incrementing a long int counter associated with cert X in postgresql or yoursql is much less expensive than the YDK verification process)
3. They send a bill for USD 0.01 per email to the (email) address associated with the signing cert for company X during a given month.
4a. Company X says fuck off and doesn't pay the bill, BigBox tags Company X's cert record in their db and which blocks all incoming emails signed by that cert at the mail server untill the bill is paid.
4b. Company X tries to say "we didn't send that many emails to your captive eyeballboxes, it was Bad People (TM) who did it with our cert" BigBox says "Then you should have revoked your keys, beeeyyyyoutch!"
Don't say I didn't warn you - I even tried to make a long bet about it because at the time we didn't know how long it would take before the major players would implement YDK - and I wanted Yahoo! to bet against me, so that they couldn't disingenuously act as if they had never heard/thought of that use for Yahoo! Demon Keys.
I'm probably wrong, but this sounds like automatic PGP signing on outbound emails, at a domain-based level.
It's too bad webmail and other MUAs don't include PGP as a more standard option.
The only possible flaw i see in this system is that now, in soviet russia, spammers can block Yahoo. Is this fixable or does Yahoo just have to deal with this?
how would one implement dk with iis's smtp service?
and yes, this is an honest question
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
RTFA. Interesting reading on what may hinder adoption of DomainKeys for some.
some smart people browse at "0", you are a a smart guy and you are correct
will i mod you up? no. i never have modded anyone up or down in my life (but i have posted over twenty posts as AC that immediately shot to +5) the reason... i post real juicy dirt and provocative facts.... just as you do.
your prediction is a valid one
Why do we need something else than SPF? SPF is open, easy and already working in many places. It doesn't need vastly new software or much special at all.
All you do is to add a TXT record to your domain and write down which addresses are permitted to send mail in your name.
http://spf.pobox.com/
Software patents are bad for the market and patents that have to be granted royality-free are not worth the transaction cost burden the software company pays to the patent industry (= patent professionals). Patent trolls contribute much to market insecurity in the software market.
I hope in Europe we will get safe from software patents. It is worth to fight for that.
I don't believe that conceptual protection of software was bad but patents ARE the wrong instruments. Players such as FFII's Hartmut Pilch propose Industrial Copyright to fill the gap. It there is a gap.
For the EU Patent directive European market players need certain amendments into the directive.
Yahoo could save wasted money.
To find out more about patents I recommend a short introduction text of FFII.
Or help rescue Nigeria? View sexy cheerleaders? Take the blue pill? Discover better Dell deals? Get flat screen plasma TVs for free? Huh? Huh?
I don't think this will take off until there is an easy way to plug this into Spamassassin.
The only problem with this solution is that it's going to make sending email virtually unusable for people like me. I work for myself, and have my domain and email inbox provided by a hosting company. When working from my home office I connect to the net using a local broadband ISP and I have to use their SMTP server for sending mail. I can't use my hosting company's server cos I'm outside their network. Similarly, when I'm away from my office, I connect to the net using GPRS and use my mobile provider's SMTP server. And sometime if I'm on a clients network I'll use their SMTP server instead.
In all those cases it doesn't matter where I'm sending from, cos the From: and Reply-To: headers point back to my domain, so when people reply to me their email goes to the right place. It's even more important these days with spam filters in front of everyone's Inbox that my From: field correctly identifies who I am. And from a business point of view that has to remain consistent.
The Yahoo site describing this states that for DomainKeys to work, the domain is extracted from the From: field, a DNS lookup fetches the public key, and that is then compared to the email's private key to confirm the email came from the correct place.
For me this is always fail, whether I'm working from home, or I'm out on the road. Basically, it's a complete disaster. Right now I'm not sure how I'd get round that.
I can't be the only person this would screw up. There must be tens of thousands of other people out there who legitimately use email this way and would be badly affected by this.
In all reality, this is just driving toward another revenue stream for them. It is much easier to charge Spamers a fee to reach you than it is to get you to pay 19.99 a year for Mail Plus.
Homer: Facts are meaningless, you can use facts to prove anything that's remotely true!
..in comparison to the amount of paper junk that appears at their front door?
It seems every nerd and his dog only understand computers and go on and on about this major threat to humanity. Outside their bedroom, in real life, huge amounts of environmental waste is being created from paper junk mail.
Nerds need to switch off their computer once in a while, wash the dried in sperm off their hand and step outside to their mail box and see where the real problem is.
Probably because the submitted link ends up pointing to dc.h4xx.com rather than the indicated yahoo.com link.
You're confusing the the envelope From (ie. where bounces and suchlike go) and the From: mail header. DomainKeys/SPF still allow completely arbitrary From: mail headers.
HAND.
While software patents are indeed evil, the situation would have been worse has Yahoo not take out a patent on the algorithm.
Being a highly visible algorithm, its quite likely that has it not been patented already, someone (for example, a large software corporation, hint hint) would just go ahead and patent Yahoo's DomainKeys instead - or maybe just something similar enough that will be called, maybe, "Authenticated Sender Identification". US Patent office officials, being dumb enough or greesed well enough will just pass it w/o due examination and then said corporation can just go ahead and sue everyone deploying a mail server with Domain Keys!
Now, of course the best solution would be to have software algorithms not patented (in the US and elsewhere), but that being no more then wishful thinking the next best thing is exactly what Yahoo has done.
I myself thank them for that.
Put your tinfoil hat back in the closet, AC.
I hate my inbox being full of bounce mail from viruses; domainkey and SPF can make it easier for auth systems to silently kill it.
Of course, I suspect this won't happen because even today, when all virus mail uses forged sender addresses, too many virus scanners insist on sending "your email has a virus, here it is attached" responses, despite the fact the up-to-date virus scanner could trivially have a flag to say "spoofed, delete it" next to the fancy virus signature stuff you have to pay $$ for.
or cancel my fucking account and refund my money.
.
The reason why no tinfoil is involved and why this will happen is the same reason google can display ads on your gmail box - to support the free service that they are giving you for free
It will become acceptable to charge companies for access to large herds of eyeballs (that gathered there because something was free) - that is my bet/prediction. And it will be accepted because "it is a good way to reduce spam and support free services".
I hope I'm wrong, but I won't the way things are going.
I use yahoo email. It's okay, but the spam checking feature sucks.
It seems to work in almost arbitrary fashion. It never "learns" like it is supposed to. No matter how many times I indicate that certain senders are not spam, or that certain senders are spam, yahoo files emails from certain senders in "bulk mail" other in my standard inbox.
Since I have to check both my "bulk mail" and inbox anyway; there is little benefit to yahoo's spam checking. I appreciate the effort, But, it doesn't work well enough to be very helpful.
What's important is that DomainKeys signs the content of the email itself, so you know not only that this email came from an approved sender, but also it wasn't tampered with on the way. As a result remailers that add content (such as mailing lists) will have to re-sign the messages passing through or remove the DomainKeys headers at all, which is quite a headache.
WTF?
Your posting is named "Spam and Patents" and there's not a single thing about spam (except in the subject).
Your posting, Sir, is non-relevant and off-topic.
Most spam is designed to generate a purchase using a credit card. Most credit card companies are controlled by US companies. Why not go after the spam sites merchant accounts and get the cooperation of the credit card companies to shut them off.
Well if this is what is going to happen then why don't you patent it? This would probably be covered nicely by a business method patent. When they start doing it you sue the hell out of yahoo and retire.
Got Code?
You misunderstand - if your college implemented it, then *other* people would be able to use it to verify the authenticity of mail sent from your college. To combat mail forged 'from' banks, the *banks* need to implement it for their domains.
I'm wondering about that, because, as a hosting provider, we host a lot of domains.
By reading this proposal, it means that each domain will need a pair of private/public keys.
My customers will probably don't care about that, and will require that we take care of handling dozens of keys... that can be a mess for hosting compagnies....
Mess with the best, die like the rest
This may not be true where you live, but overhere (the Netherlands) you can stick a small sign to your door forbiddign delivery of comemrcial and/or unaddressed (surface) mail. Ignoring this sign can and at times will get the sender into quite a bit of trouble.
So, I don't get huge piles of paper junk, actually, I get evry little of it, and it is no issue for me at all. Spam mail on the internet is an issue.
Suppose someone sends a single message from one throwaway web-mail account to another, getting it signed on the way. Then suppose he spams the signed message via whatever mail servers he normally uses - ideally zombies that won't change the signed headers. Am I missing something, or does this make DomainKeys worthless?
By implementing this ISPs can make money by selling hosting of domainkeys on their mailservers. This would totally suck for those of us who are not able to keep our own mailserver. My ISP has blocked port 25 and spamlisted all the public IPs (which really sucks), as soon as they realize people use this, they are most certainly going to charge me for sending mail using my domainname because they would have to set up their server for my emails.
Apple built a platform for their ideas, Google built one for everyone's.
I'm interested in using domainkeys (heck, I use SPF, I even greylist), but I'm unable to find an implementation for Postfix or Amavis. Is anybody working on an implementation? I saw the library that yahoo has, but I just don't have the time to code my own right now.
I'd think an Amavis implementation would be ideal, since it scans everything anyway, and integrates with other mail servers so easily.
Let's git er done...
Slashmail.org "The Open Source Email Company"
I first read that as "Yahoo! now using donkeys" to deliver mail
3.1. You agree not to assert against Yahoo!, or any other DomainKeys Developer, a patent infringement claim against any Implementation ("Implementation IP Claim").
They proceed to give identification numbers for patent applications, not granted patents. I was not able to locate these applications at the USPTO, so perhaps they are unpublished?
For all we know, Yahoo is trying to win legitimacy and enforceability for overly broad patent claims, where we don't even know what they are. How could a rational person agree to that?
There seems to be alot of confusion amound /.ers about how SPF and DomainKeys fight spam. The primary accomplishment of these technologies is to make it difficult to scam e-mail recipiants. e.g. you cant pretent to be Bank of America anymore.
DomainKeys makes it harder to send general spam as well. It allows spammers to be tracked. It also allows easy blacklisting of known spam servers. ISP's will be more strict about letting spammers use their SMTP servers out of fear of being blacklisted.
Finally, while it is possible for a spammer to change SMTP servers frequently, this adds significant financial overhead. I believe DomainKeys has the ability to eliminate all of the small spammers, as well as almost all phishing scams.
There are 10 types of people in the world. Those who understand binary and those who do not.
Have you checked the headers on those "white listed" addresses that end up in bulk mail? If they are mailing lists, it could be they are using the bulk mail precedence flag and Yahoo is doing the right thing.
DomainKeys should use 'sender' and not 'from' line. In this way a gateway can read the incoming mail, verify the DomainKey signature of the sender, perhaps mark that it was accepted for delivery and adding what ever headers it wishes, and then using DomainKeys to sign the outgoing message (but using its own sender). In effect, DomainKeys should be 'chainable', trusted gateways should continue to work as they do today, in a sequence of trusted servers.
Got the latest Firefox on FC3 and as of a week ago, or so, the left hand nav column shows up in the middle of the page, with a huge whitespace to the left.
I've never had layout issues with Yahoo, but this makes it pretty useless for me. Anyone else have this issue?
This is with a stock Firefox, no extensions.
Suppose I want to be sure to get purchase orders from joe@example.com. I add his domain to my whitelist so it doesn't go through my bayesian filter (in my real life experience, POs tend to look like spam to filters). Unfortunately, I now get 6 spams claiming to be from joe@example.com for every real message from joe@example.com.
So I ask Joe which IP addresses he normally sends mail from, and whitelist his domain only when it comes from those IP addresses. This is really what AOL used to do with high volume mailers (not necessarily spam - think mailing lists). Now I reliably get Joe's POs without all the forgeries.
Now Joe gets a great deal at a new ISP, and all his email IP addresses change. Drat! I missed one of his POs! So Joe and I decide we need an automatic way for him to keep me up to date on which IP addresses are authorized to send his mail. After a handful of false starts and as many months, we come up with.... SPF. (Well, actually some other guys came up with it - I just use it.)
Since SPF is published on DNS, people getting spams claiming to be from me can now check my SPF record and REJECT them - instead of sending me death threats (yes, I really get death threats from irate recipients of spam forged in my name).
This also cuts down on bounces from spammers forging my email and trying to send to non-existent targets. The bounces I still get, I can ignore because I sign my outgoing MAIL FROM with SES (Signed Envelope Sender).
Now, most of the spam I still have to deal with is not from spammers (who are mostly blacklisted now), but from idiots who send replies (instead of a DSN) when they detect a virus that forged my email. Some ninkompoops even send replies for non-existent email targets - usually with some stupid message about how they had to change their email address because of spam.
http://www.emailias.com/learning/spam_facts.php Do you think there is that much lost revenue from paper junk mail? Junk snail mail is also a problem. Thank you Captain Obvious.
The primary accomplishment of these technologies is to make it difficult to scam e-mail recipiants.
You're mixing up phishing and similar identity theft scams and spamming. This is like arguing that laws against online porn will stop spam: you're targeting particular uses of spam... and this has never worked except partially and temporarily.
DomainKeys [...] also allows easy blacklisting of known spam servers.
We already know from the contents of the message, from the source address, the envelope, and the headers, exactly where the spam is injected. DomainKeys provides precisely NO new information about the source of spam.
ISP's will be more strict about letting spammers use their SMTP servers out of fear of being blacklisted.
Spammers don't use their ISPs servers, except by accident. They run an SMTP server right on the injecting system, and spam direct from the dialup, Cable, ADSL, or T1. When possible they don't even own the injecting system: it's a hijacked wireless link or a PC they've taken over with a virus. When they do find they're going through the ISP's servers they switch to a different ISP, because the only reason an ISP forces SMTP connections through their SMTP servers is to block spam.
whats really needed is a CPU intensive solution like the hashcash suggestion
Which kills legitimate mailing lists.
There's one way to prevent spam and that's to make it a lot more expensive in human time to send unsolicited bulk email. There's no way to do this, though, without making it a little more expensive in human time to send single messages, or to sign up to a mailing list.
I've been using it for my family's mail for the past few years and so far as I know a total of one Nigerian has decided it's worth their time to jump through the hoop to get in.
The problem with this is that people who haven't yet accepted that spam can't be solved without making mail a little harder to use aren't willing to jump through any hoops, and that most people running mailing lists aren't yet set up to give people the necessary information to whitelist them.
There's a bunch of different mechanisms that can be used, once you decide to do it. Right now just demanding a specific keyword in the subject line is more than enough to keep the spammers out. Later, I'm sure, cryptographic techniques will become necessary as spammers start parsing bounce messages and looking for clues. But right now this is all you need to do... it works, it works well, and it's easy to implement...
Who modded up this two-sentence junk message?
Check out cloudkj's posting history and see.
I have about a hundred email aliases. I get about three genuine spams per day - and a lot of "junk email" from vendors who I've done business with, but that stuff is, strictly speaking, legit. It's just kind of annoying in its volume.
So I ask again -- what's wrong with three spams a day? BFD.
A patent entrenched system, we will all see how well this works, I think we all remember Sender ID and it's brilliant failure.
SPF looks up the allowed IP addresses where a domain can send e-mail from and allows or disallows a connection from a server on that basis. If it's disallowed, then no message is sent.
DomainKeys looks at the signature provided in the header to see whether it's spam. Oh wait. The spam was already received (wasting my bandwidth) and stored on my server (wasting my disk space), and now I have to verify the signature is correct (wasting my CPU cycles). Even Yahoo admits it will add 10% to your CPU overhead.
So, what about the small percentage of e-mail that is forwarded or relayed? People may complain that this e-mail then can't be checked by SPF. Then do one of two things:
1) Turn off your server's SPF checking just for that forwarder or relay, or
2) Turn on SPF checking at that forwarder or relay then do #1. If the forwarder or relay is SPF checking, then you don't need to worry on your end.
SPF wins hands down. It's the only one that actually decreases spam e-mail traffic!
anything that helps fight spam can't be all bad, but it would be nice if there was a completly transparent/open source system that we could all agree on rather than a dozen competing standards
Get your torrents...
This is a nasty problem; ideally, MTAs shouldn't change the headers at all. One solution would be to canonicalize the headers. Say, "remove all headers beginning with X-, then sort the headers alphabetically; identical header names use the pre-existing order". That would solve this. Another solution would be to ignore all but certain headers. Ugh.
- David A. Wheeler (see my Secure Programming HOWTO)
Basically, things are working just how they're supposed to work - you can confirm that the email really was from a Yahoo! account, or whatever the domain said it was from. So in some sense, this isn't a problem at all.
This attack does reveal an underlying assumption, though -- it's assumed that if a message is signed, then only the sender will be sending it, and a "good" sender will try to stop spam. This attack ruins this assumption; an attacker can use a mail hosting service like Yahoo to create a valid signature, and copy that email to the entire world. The problem isn't that it's not authenticated -- the problem is that it's hard to stop someone from sending those extra messages.
This approach would still work, if you could at least determine WHOSE email was being spammed. It does look like straight DomainKeys does have this as a weakness. If there's one key per domain you might not be able to exactly determine who sent the message (by itself). I guess a signer could record each hash it signs, and who sent it, so you could trace it back to the specific individual. Alternatively, you could use per-user signatures, and then you'd be able to tell.
So, if a signer records the hashes it signs (along with who made the request), or uses individual user keys, I think it still works.
- David A. Wheeler (see my Secure Programming HOWTO)
You aren't wrong. In fact, customers who subscribe to Yahoo!Mail, .mac, etc.. would likely be made fully aware by their service provider that only people on "paying-domains" can interact with them (including other major service providers, like Hotmail, Gmail, etc..) and customers are likely to use this as a new metric for deciding who to do business with. In other words, people who discover they can't interact with a certain domain will begin to assume that the lost messages are due to financial issues and shy away from them. (TCM's "The American Way" begins playing.) While interesting and technologically practical, if it ever goes into effect, it is certain to be defeated by legislation from the Republican controlled Congress or Senate or by the Republican controlled high-court. Why? Because it screws small business and so it is bad for the economy.
Nice thought, but the Legislature would never permit such a system to stand for very long. First of all, there will be a call to tax it if it were allowed to stand, and we all know how the legislature feels about taxing things related to the Internet. Second, this is bad for small businesses (and thus, the U.S. economy), so the Legislature would likely impose a regualtion on any ISPs who have more than, say, 10K subscribers that they have to carry everyone's e-mail unless they can charge in a way that is equitable to domains run by small businesses (meaning they are paying back as much as they are taking in from them).
> beeeyyyyoutch
Uh, are you trying to say: biatch ? I have to say, I also enjoy your use of "fuck off" and "Bad People(TM)". You may want to broaden your horizons a little so you understand the Big Picture. You are half-way there, at least.