Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail

[Furnish, Trever G]

I for one would be quite willing to consider the ability to send email as
domains you aren't authoritative for as a casualty of war.

Ie if your server won't accept mail for yahoo.com, then I have no problem
with the idea of rejecting email you claim to be delivering on behalf of
someone @yahoo.com.  I would expect their implementation to be just an
extension of that idea - ie if you didn't sign the message with a valid
"domainkey" for yahoo.com, then you aren't really yahoo.com and shouldn't be
sending email purporting to be from that domain.

Is that a loss of functionality for many people?  Yes.  Is that loss
acceptable?  IMO, yes.

If you are the admin of all systems involved (ie mailscanner.info and
ecs.soton.ac.uk), then making the needed arrangements to allow both of these
domains to be served by your servers should be within your authority and
capability.

I haven't seen any details on the technical implementation they're proposing
- has anyone got a link to more extensive info?

--
Trever


> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> Sent: Friday, December 12, 2003 11:26 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Yahoo Developing Open Source Server Software For
> Spam-Resistant E-Mail
>
>
> Unfortunately it suffers from the same problem affecting
> pretty much all
> such systems being mooted at the moment.
>
> They seem to think that
>     a ==> b
> is the same as
>     not a ==> not b
> (where "==>" is "implies")
>
> The presence of a correct version of this domainkeys header
> does indeed
> imply that the message came from Yahoo server. But plenty of mail from
> perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for
> example, send mail from "jules at mailscanner.info" from servers
> belonging to
> "ecs.soton.ac.uk". And I send mail from
> "mailscanner at ecs.soton.ac.uk" from
> servers belonging to BT Openworld.
>
> The lack of a correct Yahoo domainkeys header does *not*
> imply that the
> mail is not from a perfectly valid Yahoo user.
>
> So when you get a mail without a correct domainkeys header, you know
> absolutely nothing about its validity. You may like to think
> you know it is
> not a valid Yahoo account, but you are wrong. You have absolutely no
> information about whether it is valid or not.
>
> The press don't appear to understand this, and the companies'
> marketing
> teams don't either. They are trying to sell systems which are
> next to useless.
>
> Just my 2p worth...
>
> At 16:05 12/12/2003, you wrote:
> >It's not going to limit spam, but I think it's a step in the right
> >direction. It will also take some significant cpu power to handle the
> >DomainKeys, but it will certainly be nice to be able to
> trust that mail
> >FROM Yahoo.com and any other often impersonated domain that
> implements
> >this system actually came FROM that domain. It will also
> have the effect
> >of making domain whitelists (allow *.mydomain.com) very useful.
> >
> >Ken
> >Pacific.Net
> >
> >
> >Tristan Rhodes wrote:
> >
> >>Since we were talking about AOL's anti-spam tactics, here
> is some info
> >>about Yahoo.
> >>
> >>"The company is developing code, called DomainKeys, that's
> compatible
> >>with Sendmail and qmail, two popular E-mail transmission
> programs known
> >>as message transfer agents. It anticipates release sometime
> next year.
> >>DomainKeys will use public key cryptography to digitally
> sign outgoing
> >>messages to reassure a public now suspicious of E-mail. "
> >>
> >>http://www.linuxpipeline.com/news/showArticle.jhtml;jsession
id=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123
>>
>>What do you think of this strategy?
>>
>>Tristan
>>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654