Yahoo, Earthlink Build Bulwark Against Spoofing

Yahoo announced enhancements to its e-mail service, adding search, morestorage and its DomainKeys sender authentication technology — which is alsobeing deployed by Internet service provider EarthLink in a test roll-out.

While the news of the DomainKeys deployment was welcomed by most, therewere also calls for the different methods of validating e-mail senderidentity to be merged in order to adequately address spoofing.

Security and spam experts report a rise in the incidence of spoofing — faking the”from” address — and related online scams and crimes such as phishing, orbaiting users into divulging information with official-looking solicitationsand sites.

“Eventually, I think their ideas will be piled into one, but for now,it’s just a matter of them jockeying to see who owns it,” said industryanalyst Joyce Graf. She told TechNewsWorld that the DomainKeys rollout was “onthe right track.”

Deployment Key

Yahoo, which also announced a free e-mail storage boost to 250 MB ande-mail search and transfer capabilities, said its DomainKeys will provideincreased protection from spammers who use spoofing tosteal information or damage reputations.

Although Graf said that DomainKeys will likely go through an awkward period because it is new, she lauded both the technology, which operates as a sort of caller ID for e-mail, and the consortium behindit.

The similarMicrosoft-backed SenderID scheme is similar, but the technology that is deployed most frequently willlikely be the winner. “Sometimes, the better solution is the one that’s simply there,” Grafsaid.

Identity Variety

DomainKeys is a sender validation technology that relies on public/privatekey cryptography to verify the sender of an e-mail message at the domainlevel, Yahoo said. A sending system uses a private key to generate asignature and inserts it into the e-mail header. The receiving e-mail systemthen uses the public key, published in the Domain Name System, to verify thesignature.

Basex chief analyst Jonathan Spira told TechNewsWorld there are severalsimilar technologies that accomplish the same thing, including Cisco’sIdentified Internet Mail and the SenderID. That method, which checksthe IP addresses of the servers in domains, recently moved ahead withrelease of a second version of the specification, Spira said.

Spira said there is a need for both technological and organizational synergyon the spoofing issue, which has tarnished e-mail as a communication medium.

“In order for the industry to move ahead, we need one merged technologyin order to ensure interoperability and greater control, as well as onecentralized authority to turn to,” he said.

Spira, whose firm estimates spam costs business around the globe morethan US$20 billion each year, said service providers such as Yahoo are alsobeing forced to lower the rate at which spam slips into e-mail accounts.

“The cost is simply too high otherwise,” Spira said.

Major Support

Spira, who noted that Google is also using the DomainKeys technologyfor its e-mail service, said the test by EarthLink comes after a FederalTrade Commission/NIST summit held last week.

The summit “seemed to prompt all of these previously unplanned tests andannouncements,” Spira said. “EarthLink is only in the testing phase, whereasothers are already using the technology.

“However, Earthlink is the first major ISP to announce a test,” Spirasaid.

EarthLink, which recently rolled out its free ScamBlocker software toguard customers against phishing attacks, said it is testing DomainKeys todetermine how it can best implement the solution.

Last year, EarthLink was the first major ISP to provide apermission-based spam-fighting tool, spamBlocker, to block unwanted junkmail, the company said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

How often do you update your passwords?
Loading ... Loading ...

LinuxInsider Channels