Infrastructure // PC & Servers
News
1/31/2012
11:57 AM
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

New Industry Alliance Targets Phishing And Spam

DMARC can help fight bogus emails--but only if everyone agrees to use its DKIM and SPF authentication rules.

A new industry consortium is attempting to advance the slow-moving state of the art in email security. Domain-based Message Authentication, Reporting & Conformance--DMARC--is a specification that builds on the two legacy techniques for email authentication: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

The DMARC spec creates a set of wrapper specifications and procedures around SPF and DKIM, both of which have been around for many years. The goal is both to make them easier to work with on the recipient side, and to press large email senders to sign 100% of their outbound email.

Both SPF and DKIM use the DNS records of the sending party to store information that the receiver can use to verify that the sender is actually sending from that domain. So where a phishing email appears to be "From: support@paypal.com", DKIM and SPF would detect that it wasn't actually sent from the servers in those domains.

DMARC calls on email senders to sign 100% of their outbound email and to include email headers that more clearly indicate the domain of the signer. Recipients also can more easily report domain spoofs to the legitimate senders.

I asked John Levine, an author and consultant on Internet security and one of the authors of the DKIM-related Author Domain Signing Practices (ADSP) standard about DMARC. He says it's a good thing as far as it goes, but "...it does have some of the chronic Internet tendency to put a steel door on a cardboard box." Like many security standards that are not mandatory, if it's not implemented then it won't fail. Neither DKIM nor SPF are at the point where a recipient can say that they will only accept messages that use them. Therefore you still need to keep your eyes open.

Consider the example of Bank of America, a member of DMARC and a prime phishing target. BofA has bought up a large number of Internet domains suggestive of its bank name or typos of the name (such as 1800thebofa.com, bancofamerica.com, wwwbankamerica.com). However, the total number of potential domains is very, very large. For instance, BofA does not own wwwbankfoamerica.com. So if a phishing email comes to you from support@wwwbankfoamerica.com, it won't fail an SPF or DKIM check because it won't use those features.

Or maybe SPF, DKIM, or both will kick in--but the email still won't be suspect because the phisher controls the DNS server and puts proper information in it.

So email security has advanced a little bit and it's easier for organizations to follow best practices, but the real problem is that these practices are still just recommendations. Until recipients can require inbound mail to be signed and do a reasonable reputation check on the sending domain, protection through DMARC will be far less effective than it might.

Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.