Yahoo, Earthlink Build Bulwark Against Spoofing

Yahoo (Nasdaq: YHOO) announced enhancements to its e-mail service, adding search, more storage and its DomainKeys sender authentication technology -- which is also being deployed by Internet service provider EarthLink (Nasdaq: ELNK) in a test roll-out.

While the news of the DomainKeys deployment was welcomed by most, there were also calls for the different methods of validating e-mail sender identity to be merged in order to adequately address spoofing.

Security and spam experts report a rise in the incidence of spoofing -- faking the "from" address -- and related online scams and crimes such as phishing, or baiting users into divulging information with official-looking solicitations and sites.

"Eventually, I think their ideas will be piled into one, but for now, it's just a matter of them jockeying to see who owns it," said industry analyst Joyce Graf. She told TechNewsWorld that the DomainKeys rollout was "on the right track."

Deployment Key

Yahoo, which also announced a free e-mail storage boost to 250 MB and e-mail search and transfer capabilities, said its DomainKeys will provide increased protection from spammers who use spoofing to steal information or damage reputations.

Although Graf said that DomainKeys will likely go through an awkward period because it is new, she lauded both the technology, which operates as a sort of caller ID for e-mail, and the consortium behind it.

The similar Microsoft-backed SenderID scheme is similar, but the technology that is deployed most frequently will likely be the winner. "Sometimes, the better solution is the one that's simply there," Graf said.

Identity Variety

DomainKeys is a sender validation technology that relies on public/private key cryptography to verify the sender of an e-mail message at the domain level, Yahoo said. A sending system uses a private key to generate a signature and inserts it into the e-mail header. The receiving e-mail system then uses the public key, published in the Domain Name System, to verify the signature.

Basex chief analyst Jonathan Spira told TechNewsWorld there are several similar technologies that accomplish the same thing, including Cisco's (Nasdaq: CSCO) Identified Internet Mail and the SenderID. That method, which checks the IP addresses of the servers in domains, recently moved ahead with release of a second version of the specification, Spira said.

Spira said there is a need for both technological and organizational synergy on the spoofing issue, which has tarnished e-mail as a communication medium.

"In order for the industry to move ahead, we need one merged technology in order to ensure interoperability and greater control, as well as one centralized authority to turn to," he said.

Spira, whose firm estimates spam costs business around the globe more than US$20 billion each year, said service providers such as Yahoo are also being forced to lower the rate at which spam slips into e-mail accounts.

"The cost is simply too high otherwise," Spira said.

Major Support

Spira, who noted that Google (Nasdaq: GOOG) is also using the DomainKeys technology for its e-mail service, said the test by EarthLink comes after a Federal Trade Commission/NIST summit held last week.

The summit "seemed to prompt all of these previously unplanned tests and announcements," Spira said. "EarthLink is only in the testing phase, whereas others are already using the technology.

"However, Earthlink is the first major ISP to announce a test," Spira said.

EarthLink, which recently rolled out its free ScamBlocker software to guard customers against phishing attacks, said it is testing DomainKeys to determine how it can best implement the solution.

Last year, EarthLink was the first major ISP to provide a permission-based spam-fighting tool, spamBlocker, to block unwanted junk mail, the company said.