[Spambayes] RE: Yahoo's "domain keys" and spam

Ryan Malayter rmalayter at bai.org
Mon Dec 15 11:15:03 EST 2003

[Seth Goodman]
> IMHO, this code belongs in the MTA's, not in SpamBayes. The 

Agreed, the true value of this approach is filtering at the MTA level.
But there must be some method of establishing a "trust level" for
authenticated sending domains, otherwise all the spam-houses will simply
put public keys in their DNS, install the signing feature on their
MTA's, use "real" domains in their messages and continue as before.

SpamBayes could be very useful in maintaining a "statistical trust" list
of domains, which an organization could enforce at the MTA level if they

> Both the DNS lookup and 
> the decryption calculation are very costly in terms of time 
> per message, but it may still be worth it.  That's your call.

This would be no more costly, really, than establishing an SSL
connection to a web site. The operations required are basically the same
as what Yahoo system would require:

	1) DNS lookup
	2) a download of a site certificate
	3) cryptographic verification of a message
		(in the case of SSL, this is the session key used
		for the encryption. In the Yahoo case, this
		would be verification of the signatures)

The Yahoo verification would also require the calculation of a hash of
several strings from the message header (sending domain, timestamp,
etc.), but this is computationally trivial once the mail message is in

Connecting to a commercial website via SSL (for example,
https://www.verisign.com), even with nothing in my DNS cache, takes much
less than 1 second over my company's T1. I would guess that performance
of message verification using Yahoo domain keys would be of similar.


More information about the Spambayes mailing list