Antispam developer: New method is only a first step
A Cisco engineer behind the promising new DomainKeys Identified Mail standard warns it isn't immune to exploitation by cybercriminals, but is instead more like "a peephole in the door."
Editor's note: This story was updated at 2:51 p.m. PDT to clear up confusion between DomainKeys, a standard already in use, and DomainKeys Identified Mail, the up-and-coming technique to which some are now migrating.
WASHINGTON--A new antispam technology that recently got a preliminary nod from an international standards body holds promise, but an engineer who helped develop the technique says it's not a surefire way to evade e-mails from criminals.
The technique called DomainKeys Identified Mail, or DKIM for short, relies on a quietly inserted digital signature on the sender's end, which is designed to vouch for the identity of a message's sender. The Internet Engineering Task Force, a key standards body, adopted a draft of the standard in May.
The standard, which has backing from Yahoo, Cisco Systems, Sendmail and PGP Corporation, doesn't require that messages with invalid signatures be flagged as junk, but Internet service providers are likely to do just that.
Just because a message passes that authentication test, however, doesn't mean it's a "good one," Cisco distinguished engineer Jim Fenton cautioned attendees at a spam summit here organized by the Federal Trade Commission.
"Cybercriminals will authenticate their messages," said Fenton, whose company has deployed the DKIM system for about a year and has counted valid signatures from more than 20,000 domains. "They will do whatever it takes to make their messages look more legitimate."
Fenton said that Cisco has "strong circumstantial evidence" based on its own experience that cybercriminals are registering "throwaway" domain names and doing just that.
But even if spammers simply create their own domains with valid DomainKeys records, the technique still does two things: First, it shrinks the number of domains that spammers can use. And second, it permits antispammers to create a reputation database that tracks throwaway domains and marks those as sources of junk e-mail.
The use of DKIM also isn't a cure-all for phishing because phishers can still acquire domain names that closely resemble authenticated ones.
Fenton and the other drafters of that standard are, however, working on another specification, called "signer sending practices," that is designed to make that practice more difficult as well. That specification would propose a method for mail senders to advertise how they sign their mail, with the goal that unsigned messages from look-alike domain names will appear relatively more suspicious to e-mail users.
The most appropriate way to think of DKIM, Fenton said, is not as a foolproof answer to keeping the bad stuff out of your in-box, but as "a peephole in the door" that gives clues about what to trust.