Yahoo, Sendmail to test antispam system

The companies are developing an authentication system to reduce the common spam practice of spoofing, and they plan to test it by March.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
3 min read
Internet company Yahoo and software provider Sendmail said Tuesday that they will jointly develop a system for authenticating e-mail, with the goal of mitigating spam.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The two Silicon Valley companies announced support of DomainKeys, a proposed system for verifying the identity of an e-mail sender and reducing e-mail forgeries. Yahoo--which runs a Web-based e-mail service used by more than 39 million people in the United States, according to Nielsen/NetRatings--plans to develop and test the system by March. Sendmail's open-source technology, which routes the bulk of corporate e-mail to and from the Internet, will be integral to the experiment.

"In working with Sendmail, and other industry leaders, we are able to develop a powerful authentication solution to solve the spoofing problem and lay the foundation for future antispam advances," Brad Garlinghouse, Yahoo's vice president of communication products, said in a statement.

In a separate announcement, Sendmail said Tuesday that it will back Microsoft's system for identifying the origin of e-mail, an initiative called "caller ID for e-mail" that aims to cut down on fraud. Sendmail will develop software tools for Microsoft's program as plug-ins for its open-source and commercial software.

For its part, AOL is experimenting with its own authentication system. In January, the online unit of media giant Time Warner said it implemented SPF, or Sender Permitted From, an emerging authentication protocol for preventing e-mail forgeries. The trial involves the company's 33 million subscribers worldwide and is the first large-scale test for the protocol, which standards groups are considering along with various other e-mail verification proposals.

Yahoo, Microsoft, AOL and others are trying to soften a growing headache for Web surfers and corporations. More than 50 percent of e-mail sent today is unwanted junk e-mail, and the spam volume costs mail providers millions of dollars in hijacked bandwidth, storage and defense measures.

Key to thwarting spammers is developing methods to verify that people are who they say they are. E-mail spoofing is one of the toughest problems for Internet service providers and antispam companies to crack, largely because Simple Mail Transfer Protocol (SMTP)--the method for sending e-mail--offers no widespread means to detect and authenticate a sender's identity. Junk mailers typically cover their tracks by hacking into unprotected e-mail servers or open relays, or by falsifying names and e-mail addresses in the mail sender field.

DomainKeys is a proposed system that attaches encrypted "keys" or tags to every e-mail sent--with one key held in a public database and another key, which is private, linked to the message. Once the message is delivered, the receiver could match up the private key to the public key held in the open database to verify the sender's identity. But if the public key cannot corroborate the signature, the message would be subject to the receiver's spam policy.

Following their tests, Yahoo and Sendmail plan to develop an open-source package for wider adoption in the industry. Late last year, Yahoo said that it was developing DomainKeys for its mail system and Tuesday's announcement builds on that initiative.