Post by Jerhttp://www.usatoday.com/tech/news/techinnovations/2003-12-05-yahoo-spam-switch_x.htm
I am speaking only for myself.
The details of this proposal are vague. Yahoo is proposing that
email be digitally signed, making forged return addresses harder
to do. (How many disgusting spams have you received, apparently
FROM YOUR OWN ADDRESS? The postal service (paper mail) has much
the same problem. There is little to prevent someone from faking
your USA return address, although the Chinese stamps and Peking
postmark will give a hint to someone that examines it closely that
something funny is going on.)
If spammers can't easily fake return addresses, it makes personal
white lists work better. It also makes black lists work better,
as the chances that you shut off mail from someone you WANT to
receive mail from when you add the return address from that Nigerian
bank fraud spam to your black list are greatly reduced. This is a
GOOD thing. It does not prevent spammers from getting hundreds of
their own legitimate domains, but domains cost money, so they won't
go completely nuts like they do generating random user names. It
is unclear from the Yahoo proposal whether keys will cost money or
not. However, setting up a key infrastructure takes work.
Now, *WHO* signs the email? It sounds like, from the name "Domain
Keys", that airmail.net, not individual customers, do. This also
means that airmail.net has a reputation as a whole, and your mail
is accepted or rejected based on its reputation (which is not that
different from the way it is now, except that, say, AOL's reputation
won't be tarnished by the spammers who keep faking AOL addresses
when they have nothing to do with AOL). Anyone selling accounts
is going to have at least a little spam, as there is little to
prevent someone from signing up and then spamming until they get
caught, even if that's only a few hours. This still doesn't rule
out rogue ISPs ("bulk-friendly hosting") signing spam.
HOW does the email get signed? Software for this doesn't exist yet.
Yahoo talks about making this available to open-source developers but
with no details. There would be several types of software: mail signing
software (which might be needed only by the ISP), and signature-checking
software (which would be needed by anyone wanting to filter their mail),
and key generation software (which might be kept by Yahoo or might come
with the signing software).
It is unclear to me whether this will protect against spam generated
by or relayed by systems infected with a virus written to make them
act as a relay. The virus may be able to use the user's credentials
to get the spam signed as though it came from the user.
What does this mean for customers? This is pure speculation, BUT:
- Anonymous email gets much harder to send and have it accepted anywhere.
- Sending *EMAIL* with "spam blockers" gets your email rejected.
This probably won't affect USENET news. How it affects submissions
to USENET moderators may be up to the moderator.
- If the ISP signs the email, then you MUST send mail from, say airmail.net
THROUGH airmail.net's mail servers, or it won't be signed, and it
will get harder and harder to have it accepted.
- If you have your own domain name, something would have to
be set up between you and the ISP to get your mail signed. Even
if you sign the mail yourself, you need your public key to appear
in DNS for it to be recognized. Getting a key might require payment
(those of you who know about web site secure certificates should
be familiar with this) and not necessarily to the ISP.
- It may be that you need to authenticate with your ISP to SEND mail.
Your current mail software may or may not know how to do this.
- It may get harder to send email "on the road". To send mail from
airmail.net and have it signed, you have to send it through airmail.net.
But the local ISP you're connected to may not let you use anything but
its own mail servers.
Signing mail will certainly be optional at first. It is likely
that at first *IF* you set up your system to authenticate sending
mail, you can get your mail signed when it is sent that way.
It is also possible that this idea will never get off the ground.
Gordon L. Burditt