The two Silicon Valley companies announced support of DomainKeys, a proposed system for verifying the identity of an e-mail sender and reducing e-mail forgeries. Yahoo--which runs a Web-based e-mail service used by more than 39 million people in the United States, according to Nielsen/NetRatings--plans to develop and test the system by March. Sendmail's open-source technology, which routes the bulk of corporate e-mail to and from the Internet, will be integral to the experiment.
"In working with Sendmail, and other industry leaders, we are able to develop a powerful authentication solution to solve the spoofing problem and lay the foundation for future antispam advances," Brad Garlinghouse, Yahoo's vice president of communication products, said in a statement.
In a separate announcement, Sendmail said Tuesday that it will back Microsoft's system for identifying the origin of e-mail, an initiative called "caller ID for e-mail" that aims to cut down on fraud. Sendmail will develop software tools for Microsoft's program as plug-ins for its open-source and commercial software.
For its part, AOL is experimenting with its own authentication system. In January, the online unit of media giant Time Warner said it implemented SPF, or Sender Permitted From, an emerging authentication protocol for preventing e-mail forgeries. The trial involves the company's 33 million subscribers worldwide and is the first large-scale test for the protocol, which standards groups are considering along with various other e-mail verification proposals.
Yahoo, Microsoft, AOL and others are trying to soften a growing headache for Web surfers and corporations. More than 50 percent of e-mail sent today is unwanted junk e-mail, and the spam volume costs mail providers millions of dollars in hijacked bandwidth, storage and defense measures.
Key to thwarting spammers is developing methods to verify that people are who they say they are. E-mail spoofing is one of the toughest problems for Internet service providers and antispam companies to crack, largely because Simple Mail Transfer Protocol (SMTP)--the method for sending e-mail--offers no widespread means to detect and authenticate a sender's identity. Junk mailers typically cover their tracks by hacking into unprotected e-mail servers or open relays, or by falsifying names and e-mail addresses in the mail sender field.
DomainKeys is a proposed system that attaches encrypted "keys" or tags to every e-mail sent--with one key held in a public database and another key, which is private, linked to the message. Once the message is delivered, the receiver could match up the private key to the public key held in the open database to verify the sender's identity. But if the public key cannot corroborate the signature, the message would be subject to the receiver's spam policy.
Following their tests, Yahoo and Sendmail plan to develop an open-source package for wider adoption in the industry. Late last year, Yahoo said that it was developing DomainKeys for its mail system and Tuesday's announcement builds on that initiative.
Microsoft's Anti-Spam system is more harmful than good, and must be stopped
This may sound crazy. This may sound like someone saying "I'm in favor of Spam". It's not, and I'm not.
Microsoft just announced a "Proposed" new anti-spam standard. "Proposed" in the way that an Executive Order from the President of the U.S. is a "proposed" law. "Proposed" in the way that the U.S. supreme's court decision "proposed" that Bush won the election. Or did you realize that they have already strong-armed AOL and Sendmail.com into this, as well as Brightmail and Amazon.
So why am I against this? What are the flaws?
First, the internet has a system in place for proposing new standards. This is a system that allows the merits of a proposal to be heard, its flaws found and fixed, etc., yeilding a good, working standard that people agree on, not something handed down by executive fiat from the large companies that are trying to take control of the internet (more on that later). And, this system works. It works really well. How well?
Remember how the internet began. Way back when, Darpa approached some grad students and said "Come up with a way for trusted users of trusted computers to continue talking to each other even when some computers have been destroyed or wiped out". And, they succeded -- so well that in the 1990 era wars against Mid-east tirants, we had trouble taking out their command and control systems because they used the same IP system that was designed by these grad students for exactly this purpose -- maintaining communication in a time of war.
So what's wrong with Email today? We no longer have trusted computers with trusted senders. That doesn't mean that the internet standards process is flawed; it means we need to ask "How do we get rid of unwanted junk email when we can't trust people or machines?".
But rather than asking that question, rather than soliciting any input, Microsoft does ...
1. Uses its monopoly on desktop OS to give it a giant gain in internet email (Hotmail is the top web email system),
2. Uses its domination of web email to force its own email standards on the world, and
3. Microsoft has said that people should be charged 1 cent per email to stop spam.
You tell me what Microsoft's next step will be after getting everyone to check the microsoft database of legal email senders.
Second: Technical flaws with the standard.
Microsoft's idea is basically "Here's the valid IP addresses for this domain, and emails from this domain".
At first glance, this seems reasonable -- an ISP says "These are my addresses", a user from that ISP uses those addresses, all good.
EXCEPT:
Right now, I can have an email address of 'michael@stb.nccom.com' (since changed) that will reach me even if I've gone through 10 different ISP's since I created that name. Under Microsoft's "Proposal" (Fiat), that will only work if "sb.nccom.com" is listed as having whatever IP addresses I get whenever I dial up with my ISP of the month.
Right now, I can have an email address that is not dependent on a given ISP. I used to have such an address -- any email sent to 'anyname@stb.nccom.com' went to my inbox, tagged by the name that was used, and sorted into mailboxes on my system based on the destination mailbox name. I still have such a system, but it's no loner that hostname (Yep, spam forced me to abandone that old address. It's not the first time I've had to leave an address, or even a hostname.). But under Microsoft's Fiat, that doesn't work anymore.
*** Under microsoft's fiat, any mail sent from my home system must be tagged with my ISP's domain name ***
Read that again. Suddenly, my home computer CANNOT have an ISP-indepent email address.
*** I CAN NO LONGER TAKE MY ADDRESS WITH ME WHEN I CHANGE PROVIDERS ***
For most people, the only way around this is to go with a web-based email system. You know, the inconvinient, difficult to use systems that insist on sending you adve