Yahoo Takes Aim at Spam and Phishers DomainKeys Framework Draft Submitted to IETF Pedro Hernandez
Yahoo on Wednesday revealed that the company has submitted a draft of its DomainKeys framework to the IETF (Internet Engineering Task Force).
DomainKeys provides a mechanism by which e-mail servers or client applications can poll DNS to resolve public/private key pairs and confirm that the sender in the From: field is exactly whom they claim to be (click here for a detailed explanation, diagram, and FAQ).
The authentication scheme makes it tougher, if not impossible, for spammers to spoof domains, stripping them of the relative anonymity that they enjoy today and putting a dent in phishing schemes that are all the rage among scammers.
Phishing is a scam technique that claims victims by typically using a combination of vulnerability exploits and official-looking e-mails and/or web sites from the likes of eBay, CitiBank, PayPal, Amazon.com, etc. to lure unsuspecting victims into forking over their account information. With that information in hand, scammers raid the account holder's savings, make charges against those accounts, and in some cases, set the stage for identity theft.
Yahoo states that DomainKeys will help make "phishing" a lot harder to pull off. They post the following example of how the technology can help combat such activity:
Companies that are susceptible to phishing attacks can sign all of their outgoing emails with DomainKeys and then tell the world this policy so that email service providers can watch and drop any messages that claim to come from their domain that are unsigned. For example, if the company www.example.com signs all of its outgoing email with DomainKeys, Yahoo can add a filter to its SpamGuard system that drops any unsigned or improperly signed messages claiming to come from the domain www.example.com, thus protecting tens of millions of example.com's customers or prospective customers from these phishing attacks.
Naturally, scammers that attempt to obtain DomainKeys will quickly find their operations not only exposed, but also that much easier to track down.
DomainKeys has already won the approval of Sendmail, which announced its support for the standard earlier this year and is working the technology into its commercial and freeware Message Transfer Agent (MTA).
