Yahoo announces plan to identify source of spam

[R. A. Hettinga]

<http://www.theinquirer.net/print.aspx?article=13086&print=1>


Yahoo announces plan to identify source of spam

Not trying to crown themselves kings of anything

By Rick Reroy: Monday 08 December 2003, 11:19


YAHOO HAS pre-announced that it intends to do something serious about spam
next year, Reuters reports. Its new initiative, named "Domain Keys" will
involve automatic cryptographic signatures on mail. The signature will
identify which Internet domain the mail is from.

This line of attack on spam seems rather more promising than the law-based
line, which doesn't seem to be going the right way, even assuming you could
identify who the lawbreakers were. And though many of us may feel like
kneecapping the spammers, that approach suffers from the same problem, plus
the problem of legality.

Though Yahoo is not ready to lay out the details yet, it says it will
provide free specifications and code -- always a good way to get your
proposal adopted on the Net -- some time next year. In the mean time it is
dropping hints. It's the Internet protocol version of vapourware: software
announced far in advance of its introduction, with the aim of slowing sales
of rival products.

In this case the alternatives being "nipped in the bud" are proposals like
SPF, sponsored by Yahoo Mail rivals pobox.com. Other people working on the
problem of identifying the source of mail include the IRTF (Internet
Research Task Force). Clearly Yahoo doesn't feel these net.bigwigs are
getting there fast enough and want to shortcircuit the process by
announcing the imminent announcement of its own pet scheme.

The main difference between SPF and Yahoo's "Domain Keys" is that Yahoo
uses cryptographic signatures, rather than the IP (numeric) address of the
sender, to determine the source of a mail. This means the receiving system
has to first download the entire mail in order to check the signature. In
the case of SPF you can reject the mail immediately, since the originating
IP address is revealed, caller-ID style, the moment someone contacts your
system with a message. There's also a certain processing overhead inherent
in the Yahoo idea, since there will be huge numbers of signatures to check
- good news for purveyors of 64 bit CPUs everywhere.

On the other hand, the use of cryptography in Yahoo's protocol potentially
allows some clever tricks that aren't possible with the simpler SPF system.
One of these is rejection of spam that has been sent through a mailing list
and thus doesn't reach you directly from the server of the perpetrator.

The Yahoo proposal involves using the existing Internet-wide domain name
database to distribute cryptographic keys. The advantage of this is that it
doesn't grant a natural monopoly to the company administering the key
database. That is pretty much a prerequisite for a proposal that hopes to
gain widespread adoption: Internet users tend to be wary of natural
monopolies, since they are almost bound to be abused at some point.

So what happens when all these schemes get finalised? Likely not too much
to begin with, but the best way to boost a scheme would be to start
filtering mail based on it. If non-implementation of Yahoo's new idea means
you have difficulty in getting your mail through to Yahoo's mail users, of
which there are rather a lot, that would be a big incentive to update your
software and start autosigning the outgoing mail at your organisation. Or
rather to hassle your system manager to make sure it happens.
Incentivewise, the more legitimate mails Yahoo discards, the greater will
be the pressure to adopt Yahoo's proposal...

We at the INQ are also cynical enough to note that there are going to be a
lot of losers if any of these anti-spam initiatives actually work well.
After all, spam detection and blocking is fast turning into a huge
industry. They need those spams to keep flowing just as much as the
anti-virus vendors need a steady stream of new and vicious viruses to keep
their users renewing their subscriptions.

Any real solutions would be disastrous. µ


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com