New Industry Alliance Targets Phishing And Spam - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure // PC & Servers
News
1/31/2012
11:57 AM
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

New Industry Alliance Targets Phishing And Spam

DMARC can help fight bogus emails--but only if everyone agrees to use its DKIM and SPF authentication rules.

A new industry consortium is attempting to advance the slow-moving state of the art in email security. Domain-based Message Authentication, Reporting & Conformance--DMARC--is a specification that builds on the two legacy techniques for email authentication: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

The DMARC spec creates a set of wrapper specifications and procedures around SPF and DKIM, both of which have been around for many years. The goal is both to make them easier to work with on the recipient side, and to press large email senders to sign 100% of their outbound email.

Both SPF and DKIM use the DNS records of the sending party to store information that the receiver can use to verify that the sender is actually sending from that domain. So where a phishing email appears to be "From: [email protected]", DKIM and SPF would detect that it wasn't actually sent from the servers in those domains.

DMARC calls on email senders to sign 100% of their outbound email and to include email headers that more clearly indicate the domain of the signer. Recipients also can more easily report domain spoofs to the legitimate senders.

I asked John Levine, an author and consultant on Internet security and one of the authors of the DKIM-related Author Domain Signing Practices (ADSP) standard about DMARC. He says it's a good thing as far as it goes, but "...it does have some of the chronic Internet tendency to put a steel door on a cardboard box." Like many security standards that are not mandatory, if it's not implemented then it won't fail. Neither DKIM nor SPF are at the point where a recipient can say that they will only accept messages that use them. Therefore you still need to keep your eyes open.

Consider the example of Bank of America, a member of DMARC and a prime phishing target. BofA has bought up a large number of Internet domains suggestive of its bank name or typos of the name (such as 1800thebofa.com, bancofamerica.com, wwwbankamerica.com). However, the total number of potential domains is very, very large. For instance, BofA does not own wwwbankfoamerica.com. So if a phishing email comes to you from [email protected], it won't fail an SPF or DKIM check because it won't use those features.

Or maybe SPF, DKIM, or both will kick in--but the email still won't be suspect because the phisher controls the DNS server and puts proper information in it.

So email security has advanced a little bit and it's easier for organizations to follow best practices, but the real problem is that these practices are still just recommendations. Until recipients can require inbound mail to be signed and do a reasonable reputation check on the sending domain, protection through DMARC will be far less effective than it might.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Commentary
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
News
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll