Justin du Coeur (jducoeur) wrote,
Justin du Coeur
jducoeur

[GEEK] SenderID -- not as bad as I'd feared

So the news is going around that AOL, Yahoo, EarthLink and Microsoft had agreed to move seriously towards a unified anti-spam technology, at least as a steppingstone towards more powerful mechanisms. That automatically put my hackles up: when the big players start pushing things like this, they sometimes wind up with technology that mostly favors those big players.

But having a done a detailed dig through the current draft of the proposed SenderID mechanism, I am pleased to tentatively say that it doesn't suck. It's a decently conservative approach -- basically, it provides a way to do sensible back-tracing of emails, without absolutely dictating difficult policies. It doesn't so much deal with spam per se as it does rough authentication of received emails.

The high concept is that, when a receiver gets an email, it looks at the headers to see who claims to have *sent* this email (crucially, this doesn't necessarily depend on the From: address, so it should still work for mailing lists, as well as third-party mail systems like Convoq): in particular, it grabs the purported sending domain and the actual IP address is came from. Then it goes to that domain, and sees if it publishes an Email Policy Statement, which is a special XML doc that lets the domain say things like, "all email from this IP range really came from us," or, "go talk to this other domain," or, "if it came from these IP addresses, reject it".

From there, it's up to the receiver to decide how to deal with it. Some cases are black-and-white: if the domain claims responsibility, then we have a reasonably reliable identity; if it explicitly disclaims responsibility, then the mail should be considered a forgery, and probably go into the bit bucket. If there's no definite answer (for example, if this domain hasn't implemented this mechanism yet), then it goes onto neither the whitelist nor the blacklist, and might be subjected to somewhat more stringent examination.

I suspect that the big players will apply fairly draconian rules before long, basically considering any email senders not using this mechanism to be spam factories. That'll cause major chaos for a little while, and some nasty inconvenience as people find themselves forced to adopt this tool or have their mail rejected, but the approach doesn't look too hard to set up, and I suspect it'll wind up becoming universal fairly quickly. It isn't nearly as powerful as some of the digital-signature approaches that have been proposed, but it's much more practical in the short term: it mostly requires work at the ISP level, and not a huge amount of work even there.

Overall, it's not bad. I have no illusions that spam will ever be eliminated. But this looks to be a good step towards closing the worst barn door, namely forgery. With email domains being regularly authenticated, blackhole mechanisms should become significantly more useful...
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 7 comments