E-mail authentication

[Doctor Q]

I read a good article on the pros and cons of the main two methods for e-mail authentication, both attempting to provide a "caller ID" type service for e-mail so that ISPs or recipients can filter out spam.

"Domain keys" (supported by Yahoo) uses a verification process, encryption, and a reputation score. The simpler "Sender ID" method (supported by Microsoft) uses a list of approved sender IP addresses.

Neither is a complete and perfect solution since:

1. These methods, like Caller ID on your phone, rely on an understanding by users of what the information (e.g., sender reputation scores) means, so education is needed.

2. Spammers can go through the approval process (until they are later caught and weeded out).

3. Zombie PCs (PCs of legitimate businesses or users) taken over by hackers can send spam, which would therefore come from a previously legitimate source.

4. The whole process of migrating to authentication-based e-mail suffers from a chicken-and-egg problem. Companies and end users have little incentive to adopt the technology until it has caught on with others. If Windows and Mac OS X, along with the most popular other software, had it built in, this would help.

All in all, both methods could help reduce spam and e-mail-based scams, and any improvement should be welcome.

 

[Doctor Q]

If they need a potentially foolproof (yes, foolproof) method of encryption, here's the underpinnings of a method we might get to use in 5 or 10 years: quantum cryptography.

These researchers found that they could measure the position of a photon within a pixel array to learn information about (or, the way some people explain the theory, cause a particular position of) another photon that is quantum linked (entangled) to it and therefore mirrors its position within an identical pixel array.

Because the information content depends on the number of pixels in the pixel array, this method stores more information than previous quantum cryptography methods that rely on binary properties such as polarization.

 

[rdowns]

I use an Email Service Provider to deliver emails at work. Helps with issues of list cleanliness, deliverability and bogus spam reports.

At a recent conference, they spoke of an initiative that would allow a server to only send 20,000 emails a day used with another of the ideas out there like Sender ID. Theory is that spammers would not invest in the hardware necessary to deliver the huge amounts of email they need to make it worthwhile.

 

[dubbz]

Another issue with Sender ID is that Microsoft holds some patents revelant to the technology, with terms not compatible with the GPL, making it unpopular with some free software groups (which is problematic consider how much of the net is powered by free software).

Yahoo! have some patents related to Domain Keys but they are licensed under (free software) friendly terms.