Yahoo's Risky Antispam Gambit


By Alex Salkever On Jan. 16 some of the e-mail business' biggest brains will gather on the Massachusetts Institute of Technology campus at Spam Conference 2004. The one-day powwow will mark the event's second year and will feature 18 presentations from a wide variety of spam fighters.

The conference is quickly becoming a hot ticket. Top-level technology executives from the Big Four Internet service providers that handle the majority of e-mail traffic in the country -- Microsoft's MSN (MSFT), Yahoo! (YHOO), America Online (TWX), and Earthlink (ELNK) -- will probably attend. So will a host of academics and company officials from the plethora of antispam software, hardware, and services outfits that have sprung up over the past two years. The Internet Engineering Task Force (IETF), the body that oversees the adoption and application of new tech standards to the Internet, will be represented by none other than Eric Raymond, the open-source guru and Linux legend.

ON THE CASE. Last year, nearly 600 people showed up for the conference, a crowd that caught the organizers by surprise. But attendance should really soar this year as geeks and suits alike crowd the room for advice on such arcana as how to beat Bayesian filtering and how to block spam at the SMTP level.

A Justice League? Perhaps. But beneath the common quest for knowledge lurks an emerging struggle between the Big Four and powerful players. At issue: Who'll decide what technologies become the standards that run the Internet?

Facing torrents of costly spam disruptions, the ISPs are on the case. The most aggressive has been Yahoo, which announced last month a new antispam effort it has dubbed DomainKeys. Yahoo's plan is to write open-source software for popular e-mail server programs such as QMail and SendMail that would check all incoming messages to ensure they're coming from real Internet domains. Those domains, in turn, would use the software to stamp valid messages coming out of their servers with an encrypted key that's very difficult to decrypt or replicate. The key would mark the message as O.K. And any ISP receiving mail from Yahoo and running the software could easily check, too.

JUMPING THE GUN? Later this year, Yahoo plans to turn on the system and start handing out the software. Folks who cooperate will have a much better chance of getting their e-mail delivered to Yahoo subscribers. And should the other big ISPs join with Yahoo in adopting this standard, the rest of the commercial Internet may have to join the parade or risk getting their e-mail shunted into a box marked "Possible Spam."

However, the idea isn't revolutionary. The IETF and plenty of other tech businesses and think tanks have tossed around similar proposals for authenticating e-mail.

A unilateral move from a powerful commercial entity such as Yahoo, however, threatens to overtake the Internet's governing bodies and could effectively cede control of e-mail technology standards to the mammoth ISPs. Rather than wait for the slow-and-steady standards boards to come up with a strategy, Yahoo appears to have jumped the gun.

"A BAD IDEA." "They're betting that because they're coming out with a strong idea and giving implementations away, they'll forestall further debate and have it take the world by storm. Maybe it will work, but usually it doesn't," says Paul Vixie, president of the nonprofit Internet Software Consortium and a prominent antispam advocate. In an e-mail, Eric Raymond wrote: "There's been a lot of discussion of Yahoo's "domain key" proposal on the mailing list of the IETF's antispam-research group, and the general feeling is that it's a bad idea."

Raymond and others worry that DomainKeys will prove easily vulnerable to "replay attacks," which is when a spammer or impostor swipes a digital signature from a piece of DomainKeys-approved mail and uses it as fake authentication. The other problem, according to Vixie: If the Internet community ignores Yahoo and moves ahead with other solutions, running e-mail systems could become far more complex.

Curtailing spam, however, almost begs for one or two technology standards. Vixie likens the problem to what might happen if every power utility asked appliance makers to make a special plug that could receive electricity only from their individual system.

"LOTS OF WINDOWS." Raymond and antispam crusaders just don't like the idea of big ISPs becoming the tech standard-bearers. He worries that they won't take steps to completely eliminate unsolicited e-mail, since this would entail huge outlays to ensure that all e-mail traveling over their networks is truly solicited. Raymond, Vixie, and others see an inherent conflict of interest between ISPs keeping unsolicited e-mail out while making money by selling access to their customers.

Yahoo counters by saying it never sells e-mail access to its customers without receiving their permission first. But "it's everybody's dirty little secret. The real question is how many of us send out an e-mail and call it 'opt-in' when it's really 'opt-out,'" says Peter Kay, founder of e-mail-security outfit Titan Key.

Despite these objections, Yahoo says it believes DomainKeys could bring some immediate relief by making it harder for spammers to fake e-mail addresses. And it points out that it has taken pains to include others in the antispam community in any prevention efforts it has in the works. "It's important the industry understand this is a problem we're trying to solve in a bright room with lots of windows," says Brad Garlinghouse, Yahoo's vice-president for communications products.

ON A HIGH WIRE. He notes that Yahoo's plan to make the DomainKeys software open source hardly smacks of a power play, since anyone can examine the code to be used in the project. "It's a key priority for us and something that we want to keep pushing forward with aggressively," he adds.

Yahoo faces a delicate task. Push too hard, and it'll upset everyone else, including the other three big ISPs. Push too gently, and antispam technology standards may not develop quickly enough to alleviate the acute pain big ISPs are feeling from spam's rising costs. It's a high wire to walk, and Yahoo's grand plan for fighting junk messages could either make it a hero or cause a fall from grace. It's one story definitely worth watching. Salkever is Technology editor for BusinessWeek Online. Follow his Nothing But Net column every week on BusinessWeek Online


Burger King's Young Buns
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

 
blog comments powered by Disqus