Update: Industry group makes fresh push to fight phishing
Companies hope the new DMARC protocol will fend off fraudulent messages
IDG News Service - Companies such as Facebook, Google and PayPal are pushing for widespread use of a new technical specification, DMARC, that could make it harder for phishers to reach their victims.
A common problem with email is that it is very easy to spoof the "from" address, making it difficult for an average user to know if an email is really from the domain it purports to be from.
Technologies such as DKIM and SPF already allow domain owners to vouch for mail sent in their name, but don't specify what to do with messages that fail the test. DMARC builds on those systems, allowing domain owners to ask receiving mail servers to discard mail that fails authentication tests. That will make it less likely that scam messages impersonating sites such as PayPal will appear in your inbox.
There is a huge financial incentive for criminals to compromise user accounts on social internet and e-commerce sites in order to steal passwords and bank account or credit card details, according to the DMARC group. To do that, spammers and phishers often exploit trust in well-known brands by sending email purporting to be from such sites.
The specification for DMARC (Domain-based Message Authentication, Reporting & Conformance) allows organizations sending email to indicate whether they are using one or both of two security technologies to authenticate the sender of email messages, and includes a reporting mechanism where email senders can get feedback on how their messages are being handled. With that information, once domain owners have fine tuned the mail-sending process, they can tell receivers to outright reject messages purporting to be from the domain that don't pass muster.
One of the authentication technologies is DKIM (DomainKeys Identified Mail), which verifies the domain name through which a message was sent by analyzing the message's cryptographic signature. Recipients can choose to put more trust in messages coming from a domain that is considered reputable.
The other is SPF (Sender Policy Framework), which allows domain owners to specify which hosts are allowed to send email for their domains. With SPF, if a scammer forges the "from " address, a bogus email can be identified by checking the SPF record.
DKIM and SPF have been used by a number of companies for several years. But there are several problems that DMARC aims to fix. It has been hard for email receivers to always authenticate messages sent with SPF or DKIM due to the use of third-party service providers, according to DMARC.org.
Also, if a domain sends a mix of messages -- some authenticated, some not -- it's hard for receivers to distinguish legitimate messages that haven't been authenticated from fraudulent ones.
The DMARC group plans to submit a draft of the specification to the Internet Engineering Task Force in the hope that it will eventually become an industry standard.
Google is hoping the industry's latest push for DMARC will maintain momentum for antipsam efforts. So far, participating companies include Bank of America, Fidelity, Microsoft, Yahoo, PayPal, LinkedIn, AOL, American Greetings, Cloudmark and Agari.
"Industry groups come and go, and it's not always easy to tell at the beginning which ones are actually going to generate good solutions," wrote Adam Dawes, a Google product manager. "When the right contributors come together to solve real problems, though, real things happen."
The issue in the coming months will be how quickly the technology is adopted, said Paul Wood, senior intelligence analyst for Symantec.cloud, the company's Web-based security and email branch. There will be a certain amount of overhead that companies will incur when processing returned messages to see who is spoofing their domains, he said.
At the moment the technology "is very new so there are no clear best practice guidelines on how to do this," Wood said. But as it is more widely adopted, it could mark an end to spoofing problems, Wood said.
Send news tips and comments to firstname.lastname@example.org
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts