DomainKeys Versus the Spam Kingdom

As slashdot reported yesterday, Gmail has begun signing all its outgoing mail using Yahoo!’s DomainKeys. The system works like a very complicated wax seal. Imagine that I told everyone that I’d never send a letter without melting my seal onto it, and imagine that it’s impossible to duplicate my seal and only I have access to it. If you got a letter from me bearing my seal, you’d know I that it was from me and no one had already opened it. If you got a letter that didn’t have a seal, you’d know it might not be genuine. Google is the first major mail provider to support the technology (including Yahoo!, even though they invented it), but hopefully their backing will get other services to jump onboard.

An interesting consequence of this is that lots of legitimate services are going to start getting themselves into trouble. Say you read a news story you think a friend might find interesting. You might click their little “email this” button, fill out your name and address, their name and address, and click “send.” Many sites will send the email with your address as the sender. The problem is that you didn’t really send this email, the news site’s server did, and it’s just pretending to be you*. This doesn’t seem like that big of a deal, but generally I don’t want any email going out from my account if I didn’t actually type the message.

Since Gmail is now signing all of its messages with a domain key, you can be certain that any unsigned mail from a Gmail address was not sent by that address’s owner. In the above example, the email sent from the news site wouldn’t be signed, as it didn’t go through your email provider. Gmail has already started putting in a warning message whenever an unsigned letter comes in, so if you get a news snippet it might register as suspect because they spoofed your address. This is a good thing, because hopefully it’ll put the pressure on legitimate sites to stop spoofing.

Most email has very little security built in. Spammers use that fact to send out millions of messages using fake email address. Virus writers use that fact to send out malicious code using your address. From what I can tell, DomainKeys is a good, open service that anyone can use for free. If enough email providers jump on board, it could virtually eliminate spam.

*Yahoo! does this correctly. It sends all its mail from “refertofriend@reply.yahoo.com” and puts your address in the “reply-to” field. Many websites get it wrong, including the comment notification systems in Movable Type and TypePad.

iDisk Auto-Mounting Trouble

Whenever I log into my iMac, two versions of my iDisk mount. One is the default iDisk that comes up if you have a .mac account and is just called “iDisk.” The other is named the same as my username and mounts every time I log in. I’m canceling my .mac account in a few days, so I’ve taken the account off my machine, but the second iDisk continues to mount. Anyone know why?

Pop-Up Debating

Watching the vice presidential debates last night, it occurred to me that a big problem with the whole format is that we have no way to know if either person is lying or not. If Vice President Cheney says he’s created x jobs this year, how do we know he actually has? If he says that he never suggested a connection between Iraq and Al Qaeda, how do we know if he actually did?

Simple: pop-up video. A news channel needs to have a debate re-cap show with pop-ups containing the actual facts. If a candidate asserts something that contradicts an event that’s been captured on video, pause it and show the footage.

I’m not kidding about this. Politicians get away with a lot because mainstream media never calls them on what they say. All the fact-checking happens in newspapers or on websites that the general population doesn’t read, or on websites too partisan to trust. Put it on TV, throw in an entertaining host, and back it up with real facts, substantiated with actual video, and you can show the American people just who’s being straight with them.