IETF Adopts DomainKeys Spec

Phish-fighting standard might offer some hope where other methods have failed.

By Andy Patrizio | Posted May 25, 2007
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The Internet Engineering Task Force (IETF) has adopted a vendor-developed specification designed to detect e-mail with bogus header information. The technology could help reduce spam and phishing attacks that clog Internet traffic.

Yahoo was the initial developer of the spec, called DomainKeys Identified Mail (DKIM), but other participants joined the effort, including Cisco, Sendmail and PGP Corporation for later revisions.

The hope is that the specification could succeed where other efforts have failed. It puts validation of both the sender and receiver at the domain level. Phishing (define) almost always involves faking an address of a legitimate site, such as a bank or e-commerce sites like eBay and PayPal.

The spec will require a key for domains, but DKIM will distribute keys to any domain requesting one. Each domain has its own private and public keys. E-mail messages are signed with the private key and sent with the public key, which is embedded in the letter's header. The receiver then validates with the public key, and this tells the receiver that only someone with a valid private key could have originated the letter.

If the signature doesn't pass validation, the receiver has their choice of how to handle the letter. The DKIM spec doesn't dictate how to handle invalid letters. Most ISPs will likely label the letter junk mail although they have the right to block it.

Dave Crocker, principal consultant and founder of Brandenberg InternetWorking, is also involved in developing the spec and has decades of experience in working with e-mail systems. He said DKIM will be far more effective than the current method of IP filtering.

"IP addresses are a problem because they are associated with a machine rather than an organization or a person. Because they change, and they can be faked for all sorts of usage," he told internetnews.com.

One of the goals of DKIM is to create something easier to administer. A domain name is good for that, better than having it done on the individual clients. By having the server handle signing and validation, changes and updates are done on a few servers rather than every client computer.

However, that leaves DKIM open to a weakness. Crocker said it won't necessarily help defeat botnets (define), compromised computers with hidden software that pumps out spam unbeknownst to the computer's owner. Botnets are the primary source of spam on the Internet.

Because the client doesn't do the signing, the sending server does, DKIM has no way of knowing if an e-mail originated from the user's e-mail client or from a botnet program spitting out spam. And even if the good guys find a barrier, the bad guys find a way around it.

"DKIM is not about stopping botnets. It's about verifying that a message really involves whoever it says it involves. There's certainly an expectation it will be helpful against phishing because it allows you to start building for a basis for trust," he said.

It would also help that both sender and receiver are using DKIM. Moviola.com, a film equipment rental company in New York and Los Angeles, is one of the first companies to sign up for the service since its mail provider was involved in testing the specification, so it really isn't seeing benefits yet, said Shawn Silvas, system administrator with the company.

But he expects to. "It's going to change the nature of who's spamming," he said. "Hopefully it will help get rid of the spam, like zombies, but it won't help with business spam from legitimate companies like JC Penny. But if it can help reduce Viagra and stock spam, that will be nice."

Silvas said he doesn't care much for the existing spam blocking methods, such as IP black listing, because IP addresses can change on a DHCP (define) network.

"Just because an IP has sent out spam in the past isn't always bad, and just because it's flagged as good doesn't mean I want it. That really hits hard on small businesses whose e-mail is legit because if they are on a DHCP connection, they could get blocked," he said.

The DKIM spec has been fully approved by the IETF and published as an RFC, so people can start deploying it now. Crocker maintains a list on his home page, which at this point is rather modest. He expects it to grow.

Article courtesy of internetnews.com

Add to del.icio.us | DiggThis

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter