Google, Microsoft, Facebook, Bank of America team to wipe out phishing

Can industry heavyweights Google, PayPal, Microsoft and AOL — along with 11 others in high-tech such as Facebook and LinkedIn, as well as the financial world’s Bank of America and Fidelity Investments — succeed in stopping phishing attacks right in their tracks? In uniting behind an effort called unveiled today, the group says it can through policy-based steps filter out spoofed email that attackers use for phishing.

Whether you are an enterprise or offering a consumer service, you can apply this policy now,” says Brett McDowell, senior manager of customer security initiatives at PayPal, who is chairman of the organization DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance.” The site today published guidelines and the specification for its technology, which makes use of the well-known standards Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), two basic approaches widely used today for authenticating email.

What DMARC adds is a policy-based framework of actions and reporting that email providers will follow to act on instructions from enterprise email managers to identify or even block spoofed mail exploiting any enterprise domain name. “We came together to produce a new standard, not a new technology,” says McDowell. “This leverages SPF and DKIM, and it puts an end to spoofing, the most common form of email abuse.”

Making use of the DMARC technology is as simple as asserting the protection policy that you, as the email manager, want enforced on behalf of your company, through a text record in DNS, says McDowell. According to the DMARC guidelines, these will include choices related to a domain name such as putting spoofed mail into a spam folder; throwing the spoofed mail away; or quarantining it. For those getting familiar with the whole DMARC concept, the decision could be made to simply ask for the identification of spoofed email without taking any other action. But DMARC backers say they have spent more than a year developing and testing the filtering technology, and that false positives are a rarity.

Reports about DMARC-based actions would be delivered in XML format for purposes of interoperability, and the report data would be about the domain name under care, in a bare-bones form that doesn’t include any email content, says McDowell. “It’s anonymized and aggregated,” says McDowell. He says DMARC is taking care to be mindful of privacy issues.

Enterprises may want to take a do-it-yourself approach to DMARC implementation. But there are now two services, Agari and Return Path, which participated in the DMARC effort, which are offering services to support it.

At a price said to start at a few thousand dollars per month, Agari, for example, would aggregate the XML-based files each day, which might be tens of megabytes of data, and analyze it for evidence of misuse of domain names. Agari CEO Patrick Peterson says the service can analyze DMARC data to answer, “What are the bad guys doing? Are they pretending to be you? Here is a bunch of mail purporting to be from you, but is it?” He notes there are instances where there is legitimate third-party use of your domain for email in contract arrangements.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.