Earthweb
Images Events Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
Search EarthWeb Network

internet.commerce
Be a Commerce Partner
2007 New Cars
Web Design
Website Templates
IT Degrees
T-Shirts
New Car Prices
Tech Jobs
Special Ed Masters
Online Booking Hotels
Cheap Plasma TVs
2nd Mortgage
Inbound Calls
Promotional Giveaways
Prepaid Phone Card

IT Management : Columns : Executive Tech: Sender ID, DomainKeys Are Hammering Spam

Transforming IT with a New Enterprise Architecture
The Intel® Software Insight covers the convergence of virtualization, Grid, and SOA; Intel® Software Development Products; how Pixar used those tools to develop its RenderMan* software; and how Intel. Platform Administration Technology is helping reduce IT administration burdens and increase. Download now
 
Outdoor Wireless Networks with RFID Technology
Outdoor wireless networks hold potential for many kinds of outdoor venues. Employing the latest in broadband wireless and Wi-Fi technology, portable outdoor wireless networks with RFID technology deliver real-time information and data capture over the Internet despite environmental challenges Download now
 
Protecting XML Web Services
Guide to the Intel® XML Security Gateway: A purpose-built product that delivers comprehensive, high performance protection for XML Web services. Download now
 
Simplify XML Policy Management
Guide to the Intel® XML Configuration Manager: A powerful management platform that provides fast, easy creation and distribution of policies for XML security, routing, and acceleration. Download now
 
Accelerate Your Web Services
Guide to the Intel. XML Accelerator: Provides industry leading processing of XML and significantly improves the performance and response of XML Web service applications.Download now
 
Intel SSG Solution Center

Related Articles
How Good is Goodmail, Really?
Designer Says Vista Font is Original
Is Microsoft's Vista Font Just a Copy?
- ITSMWatch Newsletter -
email:
IT Focus
Coping With Compliance

Sarbanes-Oxley and other reporting requirements have greatly complicated the jobs of many IT professionals. These articles include advice, information and tips for effectively managing your compliance efforts.

Looking for the Silver Lining

Compliance Threatened by Archive Failures

10 Tips for Managing 404 Compliance

Sharing the Burden of Compliance

Corporate Compliance Regulations and Standards

Product Watch
Log Management Service - Application Level Event Log Monitoring Service
MegaRAID - PCI Adapters Offer RAID Capabilities
Digipass - Token Based Authentication Platform
BI Documenter - SQL Documentation Tool
Senforce Endpoint Security Suite - Create and Enforce Security Policies on Endpoint Devices

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

IBM Backup and Recovery You need a backup and recovery system that performs in the background, so you donít have to stop while itís doing its work. IBM System Storage has a solution. Learn more.

Sender ID, DomainKeys Are Hammering Spam
May 9, 2006
By Brian Livingston

Brian Livingston When an 800-pound gorilla says, "You must prove to me that your e-mail isn't spam, or else," it's amazing how fast a lot of other big apes will comply.

I reported last week that 75 percent of Fortune 100 companies are now using Sender ID to positively identify their marketing e-mail messages. Even better, 45 percent are taking the next step and digitally signing their messages using DomainKeys.

These two e-mail authentication standards were at each other's throats and were barely used by large companies when I last wrote on this subject on Sept. 28, 2004. Now, the two technologies are seen as complementary. In fact, it's now clear that all serious sources of e-mail soon will have to adopt both techniques. As promised, the new methods are making it easier to separate genuine e-mails from spam, and the flows to some ISPs are actually declining as better filtering renders spam uneconomical.

These two e-mail authentication methods are experiencing remarkable growth, considering that they haven't been mandated yet by Internet standards bodies. The geometric adoption rates for Sender ID and DomainKeys demonstrates what can happen when the two kings of the e-mail jungle, Microsoft and Yahoo, start howling and beating their chests.

Prove Your E-Mail is Legitimate

In interviews with executives of Microsoft and Yahoo, I've found convincing evidence that shows why e-mail authentication is skyrocketing. It's because Microsoft's MSN/Hotmail, Yahoo.com's Yahoo Mail, and other large service providers are making senders' messages look very bad if they don't comply.

Hotmail for months has been displaying a scary, yellow banner warning consumers that certain messages "could not be verified by Sender ID." (See sample image in Figure 1 at the bottom of this article.)

Yahoo takes a different approach, prefixing a reassuring note to certain messages: "DomainKeys has confirmed that this message was sent by example.com." Messages that don't bear this assurance, of course, can look mighty suspicious. (See Figure 2, below.)

Other e-mail services are overwhelmingly moving toward full adoption of one or both methods of authenticating the source of inbound mail. All 18 of the largest ISPs are marking their outbound mail with one method or the other, according to a statement by an industry coalition. And several of them, in addition to Hotmail and Yahoo Mail, already are using a message's lack of authentication as a count against it when filtering out possible spam.

Consumers may not fully grasp the different standards. But there are signs that e-mail verification is making a difference. In an unpublished study that will be posted later this month by e-mail service Epsilon Interactive, 19 percent of Yahoo Mail users and 43 percent of MSN/Hotmail users say they've already noticed the two providers' authentication banners on messages they've received.

No major ISP is flatly rejecting messages that aren't authenticated. But that day clearly is coming. For those of us who hate the way spam and phishing messages have made e-mail dangerous and unreliable, mandating that all e-mail must confirm whom it's really from can't come too soon.

When a Phenomenal Growth Rate is Good

In an e-mail interview, Microsoft officials stated that it isn't just Fortune 100 companies that have adopted e-mail authentication; smaller companies are, too.

"There has been a threefold increase in Sender ID adoption among Fortune 500 companies, increasing from 7 percent in July 2005 to 21 percent in March 2006," said a spokesperson, who asked not to be identified in accordance with company policy.

"In the past year, the number of dot-com and dot-net domains publishing their SPF records [a subset of Sender ID] jumped by more than 125 percent, increasing from 750,000 domains in March 2005 to 2.16 million domains in March 2006," the spokesperson said.

As more corporations identify which IP addresses are legitimate sources of their e-mail, spammers and phishers who target those companies are getting squeezed out. "Thirty-two percent of inbound legitimate mail received in MSN Hotmail is now Sender ID compliant, up from 20 percent in January 2006," the spokesperson said. There's no benefit to spammers in adopting either Sender ID or DomainKeys, since verification of the sender's true identity is the last thing spammers want.

Getting Your Mail Through to Yahoo

A somewhat smaller number of companies are digitally signing messages using the technique called for by DomainKeys. The slower adoption rate is partly because of concerns that digital signing might slow down a corporation's heavily used outbound mail servers.

Those concerns have now proven false, says Miles Libbey, the antispam product manager for Yahoo Mail, which signs all outgoing mail. "Yahoo is the largest e-mail provider for consumers in the world, and we have yet to add a single piece of hardware because of DomainKeys," he asserts.

That view is confirmed by Jordan Cohen, director of ISP and government relations for Epsilon Interactive. Epsilon sends permission-based e-mail newsletters and notifications at the rate of 20 billion per year for its more than 500 corporate clients.

His service added DomainKeys signing to all outbound messages, Cohen says, and "fully implemented, we've seen a minimal hit. It's really negligible." Without providing specific figures, Cohen suggested that DomainKeys signing reduced a mail server's outbound capacity by nothing more than a rounding error. That easily could be made up by the improved deliverability that DomainKeys messages enjoy.

"Since DomainKeys proves that a message is not forged," says Yahoo's Libbey, "we skip all the filters that test whether the message is forged. So there's a higher delivery rate."

It's not just Yahoo that's checking e-mails for DomainKeys signing. Some of the other ISPs that already use DomainKeys to rate incoming mail are Earthlink, SBCGlobal, and British Telecom's BTInternet. AOL is widely reported to be implementing checks for both Sender ID and DomainKeys by the end of 2006.

"Now there's high penetration for [Sender ID's] SPF," says Epsilon's Cohen. "By this time next year, we'll see that same high penetration for DomainKeys."

Are You an Adopter or a Chicken?

DomainKeys provides a much greater level of assurance for e-mail than does Sender ID. Publishing an SPF record says that only certain IP addresses are authorized to send legitimate messages originating from a company. DomainKeys confirms not only that a message came from an recognized server but that it was authorized by someone in the company and was not altered in transit.

The rapid adoption of Sender ID and Domain Keys, though impressive, is marred by the fact that companies haven't yet declared, "Messages that are proved invalid should be bounced without exception." In part, this is due to hesitation over whether the two standards work reliably. But it's also true that many companies are simply afraid to take such a bold step.

In this space next week, I'll examine what it really takes for a business to become fully Sender ID and DomainKeys compliant -- and what's keeping so many companies from declaring that they're 100 percent on board.

Hotmail's SenderID warning message
Figure 1: Hotmail shows the above warning when senders haven't created a Sender ID record.

Yahoo's DomainKeys verification message
Figure 2: Yahoo shows the above confirmation for messages signed with DomainKeys.

Brian Livingston is the editor of WindowsSecrets.com and the coauthor of "Windows Me Secrets" and nine other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.


Executive Tech Archives


JupiterWeb networks:

Graphics.com

Search JupiterWeb:

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Newsletters | Tech Jobs | E-mail Offers