Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

[W]e’re beefing up Yahoo! Mail’s SpamGuard by adding more security measures that make it much harder for phishers to get to your mailbox. We’ve teamed up with email authentication partners—namely, Authentication Metrics, eCert, Return Path, and Truedomain—to gain significant coverage to protect the prime targets of phishing attacks.

Phishing is a huge problem. I have an unprotected mailbox and get tens of dozens of phishing emails a day. But until there was a way to validate the sender of an email, rather than just the source IP, there wasn’t a good way to say that a particular email didn’t count.
SPF was one of the first attempts to solve this problem, but it didn’t do it very well. There were a number of very common uses of email that SPF didn’t accommodate.

Despite what the SPF crowd desperately wants to belive, there’s no simple way to tell what mail can legitimately be sent from what IPs. In some cases you can get pretty close, e.g., ESP spam cannon stuff, but even there plenty of people forward other accounts to gmail, which SPF doesn’t handle. — John Levine

Then there came Domain Keys and Identified Mail. Those two specs were close enough to one another that they merged into a single spec, DKIM. For the last few years significant numbers of people have been working to get DKIM stabilized and deployed.  That adoption and deployment lets companies build out products like YAMP and protect users from phishing.

Related Posts

Goodmail shutting down

Yesterday Goodmail sent out mail to all their customers announcing they are ceasing operations and taking all their token generators offline as of 5pm pacific on February 8th.
While this is a bit of a surprise on one level, I’m not that shocked. Ken Magill mentioned in August that Goodmail was on the sales block and rumors have been circulating for weeks about significant changes coming to Goodmail.
Goodmail has struggled to find a market since they first started. At one point they were even giving services away to customers at partner ESPs. Despite the free service, people at some of those ESPs told me they were having difficulty getting customers to adopt Goodmail.
Likewise, on the ISP side, Goodmail didn’t seem to have much penetration into the market. They had AOL, Yahoo and some cable companies, but not much else. And as of early last year, Yahoo removed the Goodmail machines.
I think the real underlying problem was that most companies who are doing things well don’t need certification services. Sure, there are a couple exceptions but in general anyone who is sending good mail is getting to the inbox. Even for companies where delivery was not quite as good as they might want, the marginal improvement at those ISPs that do use Goodmail was not sufficient to justify the cost of Goodmail services.
While I have the utmost respect for the Goodmail management team I think this result was almost inevitable. I never got the impression they valued the end recipient quite as much as the ISPs do. That was just one thing that lead me to believe they just didn’t seem to understand the email ecosystem quite the way that a certification service should.
I echo Dennis’ thoughts and well wishes towards the Goodmail folks. The experiment in sender financed delivery was well worth doing and I think they did it as well as anyone could have.

Read More

Email attacks

Ken has an article up today about the ongoing attacks against ESPs and email marketers. In it he says:

Read More

Holomaxx v. MSFT and Yahoo

I mentioned way back in January that Yahoo had filed a motion to dismiss the case against Holomaxx. Microsoft filed a motion to dismiss around that time, although I didn’t mention it here.
And, of course, Holomaxx filed a motion in opposition in both the Microsoft case and the Yahoo case. Nothing terribly interesting here, about what you’d expect to read.
On March 11 the judge ruled on both motions to dismiss and in both cases ruled that the case was dismissed.  He did, however, give leave for the complaints to be amended in the future.
As I expected the Judge agreed that MSFT and Yahoo have protection under the CDA. First, the court made it clear that providers are allowed wide leeway in determining what is objectionable to their customers.

Read More