From  Omar's post in Sender ID I see that Forbes has an article entitled Microsoft, Yahoo! Fight Spam--Sort Of. The article gives a pretty even handed description of the various approaches both Yahoo! and MSN are taking in dealing with phishing and spam.

In the article we learn

While some e-mail services have adopted SenderID, there are still many that have not. According to Cox, the other reason for the false positives is that not all users remain on a single server. “SPF says, ‘All of my mail should come from these servers,’” says Cox. For many of EarthLink’s customers, they can be legitimately on a variety of servers, such as a corporate server, and still send and receive mail using their EarthLink address. For those users, SPF fails.

EarthLink started testing DomainKeys in the first quarter of 2005 and now signs over 70% of all outgoing mail. Other companies are also testing DomainKeys. Yahoo! Mail claims to be receiving approximately 350 million inbound DomainKeys signed messages per day.

Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systemsdo not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients.

Microsoft says that Hotmail will not junk legitimate e-mail solely because the sending domain lacks an SPF record. The company says SenderID will be weighed more heavily in filtering e-mails, but will remain one of the many factors used when evaluating incoming e-mail. The company did say that with increased adoption of Sender ID and SPF, it will eventually become a more reliable indicator.

Both SenderID and DomainKeys filter messages with spoofed e-mail addresses in which the sender has changed the "From:"field to make it look like someone else has sent the e-mail. For example, many phishing scams come from individuals posing as banks. Under the SenderID framework, if the bank has published an SPF record, the receiving server can compare the originating server against the SPF record. If they don’t match, the receiving server flags it as spam. DomainKeys perform a similar comparison but use an encrypted key in each message and the public key unique to each domain to check where the message originated.

The amount of phony email I get per week claiming to be from Paypal & eBay and requesting that I 'confirm my account info or my account will be cancelled' is getting ridiculous. I welcome any technology that can be used to fight this flood of crap.


 

Comments are closed.