IE 11 is not supported. For an optimal experience visit our site on another browser.

New .mail domain designed to slow spam

A radical new e-mail verification system hopes to use a top-level domain called ".mail" to make spam easier to fight and phish harder to hide.

It's one of the boldest proposals yet to fight spam, and it's not a moment too soon. The first message on the public comment page devoted to the proposal read like this:

"I am a highly placed official of the Government of Nigeria and also a founding member of the ruling Peoples Democratic Party (PDP). Myself and other colleagues in the NDDC are currently in need of a foreign partner ..."

This spring, the Internet Corporation For Assigned Names and Numbers (ICANN) announced it was entertaining a list of proposals for new top-level domains that would join well-known Internet designations like .com, .net and .org. There are 10 new variations, with creation of an all-adult .xxx domain getting perhaps the most initial attention. 

But some Internet spam fighters are putting their hopes behind a radical new e-mail verification system that begins with creation of a top-level domain called ".mail."  As a byproduct, .mail could also put a serious dent in so-called "phisher" scams: e-mails which look like they are from companies like eBay or Citibank, but are really designed to steal your personal information.

While there have been a host of anti-spam schemes put forth by industry and trade groups in recent years, the .mail proposal is being taken seriously because it's being sponsored by one of the best known keepers of spam filter lists, the Britain-based Spamhaus Project.

End the cloak of anonymity
At its core, the idea behind .mail is simple: eliminate the ability of spammers and hackers to hide behind the anonymity of e-mail.

"With our proposal they can't forge the e-mail," said Chris Ambler, chief software strategist at domain registrar eNom.com and someone who helped draft the plan. "Our system would catch that."

The key problem with both spam and phisher e-mail has been the fact that senders can obscure who they are, Ambler said. In fact, most phisher e-mail addresses are "spoofed" -- that is, they appear to come from legitimate companies. That's because today's e-mail systems are easily fooled into putting text like info@citibank.com into the "from:" field in an e-mail.

The .mail proposal would change that.

First, taking ownership of a .mail domain name would require a much more stringent process than the what's currently required to control a .com, .net or .org site. A group set up by Spamhaus would verify all applications.

"We set the bar high to obtain use of one of these," said Matt, a Spamhaus volunteer who withheld his last name -- many Spamhaus workers keep their identities secret to avoid retribution from spammers. Matt currently assists in administering the Spamhaus black list, which attempts to cut off spammers by identifying their Internet locations. "The .mail applications would be heavily vetted."

For starters, only owners of the corresponding .com sites could pick up .mail sites -- in other words, only msnbc.com could control msnbc.com.mail. And the .mail version would only be granted if the .com version of the site had been in stable ownership for six months, and the corresponding administrative contact information was valid. In addition, registration would be a hefty $2,000.

Authorized e-mail only
The second step in implementing the anti-spam proposal would require software changes in the back-end systems that pass e-mail around the Internet. E-mail servers would have to be reprogrammed to challenge every e-mail that arrives, double-checking the return address against the Spamhaus list. Only e-mail with return addresses that check out would be sent; e-mail with "spoofed" headers would be dropped.

The effect is similar to a white list, where only mail from a pre-approved set of people is allowed into an inbox. With .mail, only e-mail from preapproved domains is allowed through.

The software changes to e-mail servers isn't an overwhelming barrier and in most cases could be made in a few minutes, Matt said.

Eric Allman, the creator of Sendmail, the e-mail routing software which processes about two-thirds of the Internet's e-mail, is also on the board of directors for the proposed .mail governing organization.

ICANN is currently hosting a public comment period on all the new proposals. So far, .mail hasn't attracted much attention, beyond the former Nigerian government officials and a set of e-mails with familiar subject lines like "Re:Your Document," generated by computer viruses -- exactly the kind of stray traffic the proposal is designed to contain.

Won't stop current spam
But critics have already begun to attack the plan, saying spammers will simply find their way into the .mail system the way they have taken ownership of various .com domains.

The .mail signup process will be so time-consuming that it wouldn't be financially viable for spammers to use it, Matt said. And Spamhaus' experienced staff will be able to shut off any domain owner who misbehaves.

Instead, the biggest challenge facing acceptance of the .mail solution is the fact that it doesn't do anything to stop the flow of spam or phisher e-mails that pound your current inbox.

"This isn't a plan to end spam," said Matt. "This will just help ensure sender authentication. But that doesn't sound as marketable."

Another way of putting it: The proposal wouldn't so much fix the current e-mail system as create a new, spam-free e-mail area of the Internet. Spammers could still send just as much e-mail throughout their currently-owned .com domains; criminals could still impersonate eBay.com.

"This won't stop people from spamming in .com and .net," Ambler said. "But it will only allow legitimate mailers to get into the .mail zone."

That could be a relief to companies like eBay.com, which are having trouble communicating with their customers via e-mail, since so there are so many fake e-mails floating around. E-mail from eBay.com.mail would effectively have a Good Housekeeping seal. Eventually, Matt said he hopes that e-mail clients could display such notes in a different color, or with a new logo that designated them as authentic. 

And when the system reached critical mass, e-mail users could largely ignore most e-mail that came from .com and .net domains.

That might sound like a radical solution, but Matt said he believes the spam problem is weighty enough that e-mail providers and users are ready to take major steps to address it.

"Critical mass will be reached by people getting more and more fed up with the amount of spam," he said.