Yahoo Developing Open Source Server Software For Spam-Resista nt E-Mail

Ken Anderson ka at PACIFIC.NET
Fri Dec 12 17:45:28 GMT 2003


Furnish, Trever G wrote:

> I for one would be quite willing to consider the ability to send email as
> domains you aren't authoritative for as a casualty of war.
>
> Ie if your server won't accept mail for yahoo.com, then I have no problem
> with the idea of rejecting email you claim to be delivering on behalf of
> someone @yahoo.com.  I would expect their implementation to be just an
> extension of that idea - ie if you didn't sign the message with a valid
> "domainkey" for yahoo.com, then you aren't really yahoo.com and shouldn't be
> sending email purporting to be from that domain.
>
> Is that a loss of functionality for many people?  Yes.  Is that loss
> acceptable?  IMO, yes.
>
> If you are the admin of all systems involved (ie mailscanner.info and
> ecs.soton.ac.uk), then making the needed arrangements to allow both of these
> domains to be served by your servers should be within your authority and
> capability.
>
> I haven't seen any details on the technical implementation they're proposing
> - has anyone got a link to more extensive info?
>
> --
> Trever

I would have to agree as well. The problem requires some changes be made
that are not going to be easy, but are worth it.

The domainkeys system will need to call for authentication or trust
relationships between mailservers, so that users on one A.com can send
outgoing mail through B.com as user at B.com, or mailserver MX.A.com can
pretend to be B.com for user at B.com. It's not impossible, but it's
definitely got some difficulties as Julian pointed out.

Ken A.
Pacific.Net


>
>
>>-----Original Message-----
>>From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
>>Sent: Friday, December 12, 2003 11:26 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Yahoo Developing Open Source Server Software For
>>Spam-Resistant E-Mail
>>
>>
>>Unfortunately it suffers from the same problem affecting
>>pretty much all
>>such systems being mooted at the moment.
>>
>>They seem to think that
>>    a ==> b
>>is the same as
>>    not a ==> not b
>>(where "==>" is "implies")
>>
>>The presence of a correct version of this domainkeys header
>>does indeed
>>imply that the message came from Yahoo server. But plenty of mail from
>>perfectly valid Yahoo accounts is not sent from Yahoo servers. I, for
>>example, send mail from "jules at mailscanner.info" from servers
>>belonging to
>>"ecs.soton.ac.uk". And I send mail from
>>"mailscanner at ecs.soton.ac.uk" from
>>servers belonging to BT Openworld.
>>
>>The lack of a correct Yahoo domainkeys header does *not*
>>imply that the
>>mail is not from a perfectly valid Yahoo user.
>>
>>So when you get a mail without a correct domainkeys header, you know
>>absolutely nothing about its validity. You may like to think
>>you know it is
>>not a valid Yahoo account, but you are wrong. You have absolutely no
>>information about whether it is valid or not.
>>
>>The press don't appear to understand this, and the companies'
>>marketing
>>teams don't either. They are trying to sell systems which are
>>next to useless.
>>
>>Just my 2p worth...
>>
>>At 16:05 12/12/2003, you wrote:
>>
>>>It's not going to limit spam, but I think it's a step in the right
>>>direction. It will also take some significant cpu power to handle the
>>>DomainKeys, but it will certainly be nice to be able to
>>
>>trust that mail
>>>FROM Yahoo.com and any other often impersonated domain that
>>implements
>>
>>>this system actually came FROM that domain. It will also
>>
>>have the effect
>>
>>>of making domain whitelists (allow *.mydomain.com) very useful.
>>>
>>>Ken
>>>Pacific.Net
>>>
>>>
>>>Tristan Rhodes wrote:
>>>
>>>
>>>>Since we were talking about AOL's anti-spam tactics, here
>>
>>is some info
>>
>>>>about Yahoo.
>>>>
>>>>"The company is developing code, called DomainKeys, that's
>>
>>compatible
>>
>>>>with Sendmail and qmail, two popular E-mail transmission
>>
>>programs known
>>
>>>>as message transfer agents. It anticipates release sometime
>>
>>next year.
>>
>>>>DomainKeys will use public key cryptography to digitally
>>
>>sign outgoing
>>
>>>>messages to reassure a public now suspicious of E-mail. "
>>>>
>>>>http://www.linuxpipeline.com/news/showArticle.jhtml;jsession
>
> id=HY12EQWM4BORKQSNDBCCKHY?articleId=16700123
>
>>>What do you think of this strategy?
>>>
>>>Tristan
>>>
>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>



More information about the MailScanner mailing list