Miles Libbey
Anti-Spam Product Manager
Yahoo! Mail (Nasdaq: YHOO)

SecuritySolutionsWatch.com: Please tell us about your background.

 Miles Libbey: I work as anti-spam product manager for Yahoo! Mail, a global leader and the No.1 Web mail provider in the U.S. In this role, I’m responsible for the effectiveness of Yahoo!’s SpamGuard filtering technology and I oversee development and implementation of all anti-spam initiatives. As part of my role, I’ve been focusing on Yahoo!’s e-mail authentication efforts and have been working with others in the industry to encourage use of Yahoo!’s signing technology, DomainKeys.

 I joined Yahoo! in March 2001, after previously working for a consulting firm and at Amazon.com. I have a BA degree from Brown University in biology and an MBA from the University of Michigan.

 SecuritySolutionsWatch.com: What are the latest developments in the e-mail industry fight against spam and e-mail forgery?

 Miles Libbey: Many in the e-mail industry are working to protect consumers from potentially dangerous junk e-mail, called “phishing attacks” – fraudulent e-mails designed to trick consumers into divulging personal data.  Yahoo! is fighting the spam war on multiple fronts, including pursuing litigation against spammers, developing enhanced technologies, collaborating with other in the industry and educating consumers.

 As an example of one of the technology solutions we’re supporting, DomainKeys Identified Mail (DKIM) is a e-mail signing technology which combines Yahoo!’s DomainKeys and Cisco’s Internet Identified Mail. DKIM is designed to combat e-mail forgery which is commonly associated with phishing attacks. DKIM gives e-mail providers a mechanism for verifying the domain of the e-mail sender, offering e-mail users an additional level of protection against e-mail fraud and phishing.

 SecuritySolutionsWatch.com: Why is Yahoo! playing a leading role in developing an e-mail authentication solution?

Miles Libbey: E-mail is one of the most powerful and essential communication tools of our time. As a global leader in e-mail, protecting consumers from spam and e-mail fraud is a top priority. The industry at-large has identified e-mail authentication as a critical step in combating the e-mail forgery issue. Yahoo! is focusing on DKIM as e-mail authentication solution so that consumers will regain their trust in e-mail. 

SecuritySolutionsWatch.com: What exactly is "phishing," and how does it work?

Miles Libbey: “Phishing e-mails” contain forged e-mail headers (the name in the From line) designed to look like they come from a trusted brand. These fraudulent messages may look almost exactly like an e-mail from a well-known financial institution, Internet Service Provider (ISP) or transactional web site.

Phishing e-mails usually contain urgent requests asking the user to update their personal information in an attempt to steal this data. The messages often include links to fake company Web sites which closely resemble those of trusted brands. As a general rule, consumers should never respond to e-mails asking for passwords, credit card numbers or personal information, and should contact the company directly if they receive suspicious e-mails that appear to be fraudulent.

SecuritySolutionsWatch.com: Why is e-mail authentication considered the critical step to combating e-mail forgery and phishing?

Miles Libbey: The forging of another person's or company's e-mail address to get users to trust and open a message is one of the biggest challenges facing both the Internet community and anti-spam technologists today. Without sender authentication, verification, and traceability, e-mail providers cannot know for certain if a message is legitimate or forged and will therefore have to continually make educated guesses on behalf of their users on what to deliver, what to block, and what to quarantine, in the pursuit of the best possible user experience.

E-mail authentication is considered the critical step to combating e-mail forgery and phishing because it provides a mechanism for verifying both the domain of each e-mail sender and the integrity of the messages sent (i.e,. that they were not altered during transit). And, once the domain can be verified, it can be compared to the domain used by the sender in the From field of the message to detect forgeries. If it's a forgery, then it can be identified as spam or fraud, and it can be dropped without impact to the user. If it's not a forgery, then the domain is known, and a persistent reputation profile can be established for that sending domain that can be tied into anti-spam policy systems, shared between service providers, and even exposed to the user.

SecuritySolutionsWatch.com: How does DomainKeys Identified Mail work?

Miles Libbey: DomainKeys Identified Mail (DKIM) gives e-mail providers a system to verify the domain of each e-mail sender and the integrity of the messages sent.  Both the recipient and sender need to be using DKIM-enabled e-mail systems.  Each DKIM-enabled e-mail is sent with a ‘key’ that acts as a verifiable marker for both the sender and recipient of each e-mail message.  From the time an e-mail is sent to when it is delivered, the ‘key’ acts as proof to both systems that the e-mail is sent from the entity to which it is attributed.  An e-mail that is received to a DKIM-enabled account then verifies the key and alerts the recipient that the message is from the expected sender. 

A more technical explanation of DKIM can be found at: Yahoo! Anti-Spam Resource Center 

SecuritySolutionsWatch.com: What other organizations have been involved in the development and testing of DomainKeys Identified Mail?

Miles Libbey:  In conjunction with Yahoo!, Cisco, PGP Corporation and Sendmail have partnered to author and submit DKIM to the Internet Engineering Task Force (IETF) for consideration as a new e-mail industry standard to help enable industry-wide adoption of the technology. 

In addition to this list, numerous industry players have collaborated to develop an open-standard e-mail authentication specification, and industry collaboration has played a critical role in the process.  Industry leaders who played a valuable role in furthering the development of the DKIM specification include, Alt-N Technologies, AOL, Brandenburg Internetworking, EarthLink, IBM, Microsoft, StrongMail Systems, Tumbleweed, and VeriSign.  The participation of these companies has been instrumental in creating this single, signature-based e-mail authentication proposal.