Yahoo pitches antispam system

Yahoo officials acknowledge the system, called DomainKeys, won't eliminate spam. But they say it will go a long way toward reducing the problem, by making it harder for spammers to conceal their identities. The system won't work, however, unless Internet e-mail services worldwide adopt the Yahoo approach.

The DomainKeys system, which Yahoo unveiled last week, would add a new feature to mail servers, the computers that relay e-mail. Each server belonging to a particular Internet domain, such as Yahoo.com, would have its own digital key, which would be virtually impossible to forge. This key would be used to put a digital "signature" on all mail sent through a Yahoo.com server. The recipient's mail server would recognize the signature, thus proving the message came from Yahoo.com. A spammer using a phony Yahoo.com address wouldn't have the correct key, so his messages would be discarded.

Sending messages from false e-mail addresses, sometimes called "joe jobbing," is a common spammer tactic. A study released this year by the Federal Trade Commission found that one-third of the spam messages studied contained false information about the sender's identity.

The bill would make joe jobbing a federal crime. Known as the Can Spam Act, it would allow companies to send unsolicited e-mail ads, but only if the message reveals its source. Mailers would also have to state the message is an advertisement and honor requests to remove recipients from the company's mailing list. But critics say it will be difficult to enforce.

Congress approved the measure Monday, and President Bush is expected to sign it into law.

"I don't see this law as being particularly effective," said Jesse Dougherty, director of development at Sophos PLC, an antivirus and antispam firm with US headquarters in Lynnfield. Dougherty suggested that large-scale spammers could respond by buying legitimate Internet domains and using them to send spam, discarding the domains after detection. Many spammers are also overseas, outside US jurisdiction.

Brad Garlinghouse, Yahoo's vice president of communications products, said his company's plan would add teeth to the proposed law. Users of the DomainKeys system would instantly spot messages with forged return addresses. These could be collected for further investigation, and those responsible for sending them could be prosecuted. "The enforceability really goes up," Garlinghouse said.

He said the system would do nothing against spammers who use legitimate e-mail addresses, but said DomainKeys would weed out so much spam that other filtering systems would do a better job on the remaining messages.

Garlinghouse said Yahoo is seeking a patent on the DomainKeys technology, but will license it at no charge to anyone who wants it. Yahoo is also creating software that will add the capability to Qmail and Sendmail, two of the most common e-mail server programs. This software will be distributed free.

Lance Weatherby, chief marketing officer at CipherTrust Inc., a Georgia maker of antispam filtering software, praised the Yahoo proposal, but said it will work only if a large number of the world's leading Internet companies make their mail servers compatible with the DomainKeys system. "It's going to have to become a standard," said Weatherby, "and Yahoo has never demonstrated the ability to create an Internet standard before." This year, Yahoo teamed up with other major Internet companies, including America Online and Microsoft Corp., to announce an allied effort against spam. So far, nothing has come of the alliance, and the Yahoo announcement suggests the company may be inclined to go it alone.

A spokesman for Microsoft described the Yahoo announcement as "unfortunate," but said the antispam alliance is alive and well. Garlinghouse said Yahoo has proposed DomainKeys to the other members of the alliance, who have responded favorably. "We remain completely committed to that alliance, and we remain in constant communication with that group," he said. Hiawatha Bray can be reached at bray@globe.com.