Write to us at spectrum@ieee.org.

Cisco and Yahoo's Plan To Damn Spam

PHOTO: CHRISTOPHER HARTING

Back in the 1970s, when e-mail was invented, it seemed everyone online knew everyone else. You could almost count the number of servers on two hands, so trust came to be built into the very guts of the Internet. At the time this openness was very handy, but today it's become one of the biggest problems for the network and its millions of computers. Two consequences: spammers inundate us with so many bogus missives that we end up overlooking or losing important messages daily, and customers are suspicious of e-mail from major companies and brands like PayPal, CitiBank, and Rolex.

If e-mail servers could check to see if an e-mail message really originated with the enterprise in the "From" line, a great deal of spam could be identified and eliminated. A number of schemes have been proposed; the one that's emerging from the pack is called DKIM. The "DK" stands for DomainKeys, which Yahoo Inc., of Sunnyvale, Calif., offered to others and started to use with its own e-mail accounts in 2003. The "IM" stands for Identified Mail, which comes from Internet Identified Mail, a method that San Jose, Calif.–based Cisco Systems Inc. proposed in 2004. The two differed in some details, but each used public-key cryptography to allow a receiving mail server to verify that a message was actually sent from the domain named in the message's "From" line. In June 2005, the two companies released a unified approach and a month later submitted it to the Internet Engineering Task Force, a volunteer-based organization that manages most Internet specifications. Approval is expected but could take up to a year.

Companies that issue millions of e-mail accounts, such as AOL, Comcast, Google, and Verizon, can easily take on the servers and software needed to implement DKIM. Smaller Internet service providers and corporations, though, will have a tougher time justifying that expense. One further complication with DKIM involves alias addresses, such as the ones IEEE members can get that end in "ieee.org." DKIM has a way for these users still to use their alias addresses in the "From" line, but they must add new software to their desktops.

An alternative antispam scheme, called Sender ID, also combines two earlier approaches. One was by Microsoft Corp. The other, called Sender Policy Framework, or SPF, was written by Meng Weng Wong, creator of the Pobox.com e-mail service, from IC Group Inc., in Philadelphia. Though several large firms have implemented Sender ID, support for it seems to be fading [see "Microsoft to Spammers: Go Phish," in this issue]. Even Sender ID's adherents acknowledge the value of the Cisco/Yahoo approach. Wong, who believes the two approaches can coexist, told IEEE Spectrum, "DKIM is super. I look forward to it succeeding." Google is already using both methods for its Gmail service.

So will spam disappear? Hardly. For one thing, much of it comes from so-called zombie machines—naive computers on the Internet that act as unknowing conduits for sophisticated spammers who know how to use them as mail servers. DKIM may, however, make a large dent in the related problem of "phishing"—messages that lure a user into logging onto a counterfeit server that seems to be a bank or other firm that the user does business with. If institutions such as PayPal Inc. and CitiBank Group implement DKIM, and our Internet providers do as well, perhaps people can once again trust messages that purport to be from them.

More information at http://newsroom.cisco.com/dlls/2005/prod_060105d.html.

—Steven Cherry