Yahoo Developing Open Source Server Software For Spam-Resistant E-Mail

Even as the House of Representatives on Dec. 8 approved the first federal bill to outlaw spam--the Can-Spam Act of 2003, which President Bush is expected to sign into law--businesses beset by unsolicited commercial E-mail continue to devise more robust defenses. The latest proposal from Internet service and content provider Yahoo Inc. calls for the deployment of open-source authentication software to verify the Internet domain from which messages originate.

The company is developing code, called DomainKeys, that's compatible with Sendmail and qmail, two popular E-mail transmission programs known as message transfer agents. It anticipates release sometime next year. DomainKeys will use public key cryptography to digitally sign outgoing messages to reassure a public now suspicious of E-mail.

An October study by the nonprofit Pew Internet & American Life Project found that more than half of E-mail users surveyed have become less trusting of E-mail as a result of spam. That's understandable given the ease with which spammers are able to make their solicitations and scams appear to have come from reputable sources.

As the largest commercial provider of E-mail in the United States, according to Nielsen/NetRatings' October numbers, Yahoo has reason to be concerned: Spam accounts for perhaps half of the messages it handles. "Clearly there's a real cost for us, as well as other major players," says Brad Garlinghouse, VP of communication products at Yahoo.

But the damage goes beyond dollars. "The cost to the spoofed companies is staggering," Tom Gillis, senior VP of marketing for anti-spam vendor IronPort Systems Inc., wrote in an E-mail message, "not only in terms of the cost to maintain an infrastructure capable of handling the inevitable influx of mail bouncing from bad addresses, but also the cost to their customer-service departments for handling the complaints, and the immeasurable damage to their reputations as trustworthy companies."While Garlinghouse acknowledges that sender authentication won't stop spam completely, he sees DomainKeys as a means to restore consumer trust. He says that once "we actually have credibility and confidence that the E-mail that said it came from Yahoo.com actually did come from Yahoo.com, we then can use other intelligence and filters ... so that an individual user can, with confidence and effectiveness, determine what actually ends up in his or her in-box."

Yahoo is already fighting spam on other fronts. In April, it formed an anti-spam alliance with America Online and Microsoft, to which it remains committed.

As for partners planning to implement DomainKeys, Garlinghouse expects some announcements soon. The software, he says, "is a very neutral solution that doesn't king-make one player. By making it easy for people to adopt a low-overhead, low-cost, highly credible deterrent to spam in the in-box, we're optimistic that we'll have some partnerships as we move forward."

Gillis sees the proposal as a positive step but cautions there's much left to do. "If this technology is adopted, it would be a great battle won in the war on spam, but the war is still far from over," he says. "While this would prevent spammers from imitating trustworthy senders, it does nothing to really limit the spam being legally sent from self-avowed spammers. The next step will be to determine how to stem the flow of spam from authenticated sources."