Spam's new nemesis: Trust-based messages
The other day I was reading Investors Business Daily and came across an article whose title you see in the subject line of this blog post. The article is a Q&A Dave Crocker of BrandenBurg InternetWorking.
If you're like me and too lazy to click the link and read the article, allow me to post a couple of important excerpts.
IBD: What's your solution [to the spam problem]?
Crocker: You have to create what I call a trust overlay to the existing e-mail system. Existing senders and receivers can continue to use e-mail as before. All we're doing is adding a mechanism that lets them trust who mail is from and (determine) whether that sender is trustworthy.
IBD: Why is adding a special domain name important in identifying whether an e-mail message is wanted or not?
Crocker: Existing "reputation" based e-mail screening systems are based on very low-level addressing numbers that say where a server is attached to the Internet, rather than what organization is sending the message. DKIM will identify the sender.
IBD: Can you give an example of how DKIM prevents the delivery of unwanted spam?
Crocker: A classic example of spam abuse involves eBay's online payment system PayPal. Pay-Pal e-mail is often forged by hackers or other bad actors. They might send it as "paypa1.com," a so-called "cousin" domain that looks like the real one but is intended to confuse.
IBD: How does DKIM help?
Crocker: If I have a DKIM signature that's signed (with the string for) PayPal.com then it was really signed by PayPal.com and should be received.
IBD: In practice, what difference would using a trust-based e-mail service make to a typical office e-mail system?
Crocker: First-time senders wouldn't have their messages erroneously blocked. E-mail would also be marked as "definitely good" rather than "possible spam."
IBD: Are there any other advantages?
Crocker: Graphics in incoming e-mail won't be turned off. As a matter of safety, it's usually important to have e-mail graphics turned off because they could be the basis for possible hacker attacks. But if messages are marked as safe, the graphics are of no concern and can be shown.
In my next post, I will respond to some of these comments. One more note, I still haven't finished my series on authentication. I do plan to come back to it eventually. I have to hit up DKIM and the differences between it and DomainKeys, and also Sender Signing Practices.