subject: New Spec Could Cut Phishing, Spam posted: Tue, 29 May 2007 20:43:00 +0100
[Ah yes, I hear you say, another anti-spam spec ... this one looks
promising though, it's using PGP cryptographic signatures, is
developed by Yahoo and backed by the IETF. And it has a chance of
actually working, given the technologies and parties involved, and
it's already rolled out in some places. So this is big news, I
suspect we'll all need to do a little DKIM-related homework, no news
yet for admins on either how to sign mails, or how to check for valid
signatures. - Stu]
MAY 23, 2007 | Phishers and spammers beware: It may soon be a lot
harder to pretend you're somebody you're not.
The Internet Engineering Task Force, which sets the technical
standards for the Internet, yesterday approved the DomainKeys
Identified Mail standard as a proposed standard (RFC 4871). The
specification, a three-year effort pioneered by Yahoo!, Cisco,
Sendmail, and PGP, is an email authentication framework that uses
cryptographic signature technology to verify the domain of the
sender.
In a nutshell, DKIM allows email senders to "sign" each email to
verify that it comes from their domain. If the receiving domain
handles an email that does not contain the signature, it can raise a
red flag to warn the recipient that the message might be a fake.
"For years, one of the big problems in Internet messaging has been
the ability of a sender to use any 'from' address," says Jim Fenton,
a distinguished engineer at Cisco and one of the authors of the
standard. "Without too much work, you can say you're just about
anybody in an email."
DKIM was created from two technologies developed several years ago:
Yahoo!'s DomainKeys, which was developed for Yahoo! email users; and
Cisco's Identified Internet Mail. With the help of PGP, Sendmail, and
input from a host of other vendors, Yahoo! and Cisco combined their
efforts into DKIM, which is already being integrated into email
services, such as Gmail.
DKIM is designed to be implemented at the domain level and shouldn't
require any changes at the client, developers say. Essentially, a
domain owner -- such as an Internet service provider or a large
corporation -- equips its servers with the ability to "sign" outgoing
messages, verifying their authenticity.
On the other end, email security servers and applications can be set
to look for the DKIM signature in incoming messages, giving priority
to signed mail and red-flagging unsigned messages for further
scrutiny, or warning end users of potential problems.
Fenton emphasizes that the new standard won't stop spam, but if it is
widely adopted it could force spammers to stop sending messages from
bogus email domains. "DKIM makes it harder for an attacker to make a
message look like it's coming from a bank or some other trusted
source, so it directly addresses some aspects of phishing," he says.
But spammers could actually use DKIM themselves, "and we have some
evidence that they already are."
Both Cisco and Yahoo! say they have already deployed DKIM to help
protect messages sent from their own domains. "We currently see about
a billion DomainKeys signed emails flow through Yahoo! Mail each
day," said Mark Delany, lead architect for Yahoo! Mail and author of
DomainKeys. "We look forward to continued momentum as more senders
adopt the new email authentication standard."
It's hard to say just how effective DKIM will be in reducing phishing
and spam from bogus addresses, Fenton says. First, it has to be
adopted, though that adoption should accelerate with the IETF's
blessing. "We have seen a lot of ISPs, and some big financial
institutions, on the verge of implementing it."
But it's important to remember that the standard itself won't stop
anything. "What it really does is make [anti-spam and anti-phishing]
products work better," Fenton says. "Its impact will be determined by
how it's used in products."
The IETF's DKIM Working Group is currently working on a best
practices document that will help vendors, users, email advertisers,
and reputation services get the most out of the standard, Fenton
says. The group is also developing language that will help email
domains tell recipients they are signing all of their messages with
DKIM.
