Yahoo, Cisco Systems, Sendmail and PGP Corporation are behind the push for DomainKeys, which the companies said in a joint statement will provide "businesses with heightened brand protection by providing message authentication, verification and traceability to help determine whether a message is legitimate." Insiders say the technology is more promising than most other anti-spam and antiphishing technologies because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants.
The way it works is straightforward: if, for instance, PayPal sends an e-mail notice to customers about their accounts, the company's outgoing mail server will quietly insert a digital signature into the legitimate message. (Because the signature is embedded in the message headers, it's generally not visible to human readers.)
Let's say the recipient has a Yahoo Mail address. Yahoo's mail servers can automatically check PayPal's Internet domain name listing to verify that the digital signature is valid and the message truly originated at Paypal.com. Signatures by authorized third parties are permitted as well, which is useful for outsourced e-mail.
If the signature doesn't check out, the message is probably spam, or a phishing attack designed to try to fool someone into divulging their details about their PayPal account. While the DomainKeys standard doesn't actually specify that messages with invalid signatures should be flagged as junk, Internet service providers are likely to do just that.In the long run, DomainKeys is more promising than existing antispam and antiphishing technologies, which rely on techniques like assembling a "blacklist" of known fraudsters or detecting such messages by trying to identify common characteristics. But spammers have invented increasingly creative counterattacks, such as inserting image advertisements in the text of messages and appending excerpts from news articles and fiction works in an attempt to defeat the popular antispam method of Bayseian filtering. That kind of counterattack is called Bayesian poisoning.
DomainKeys represents a radical shift in the arms race between phishers, in particular, and Internet users: it's effectively a tactical nuclear attack that can't be countered. The digital signatures, which use public key cryptography, are viewed as unforgeable. But the DomainKeys approach does suffer from one serious, short-term problem: it's only effective if both the sender and recipient's mail systems are upgraded to support the standard.
We shall endeavor to keep you informed of the progress of this product.
No comments:
Post a Comment