Application Security
2/26/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How To Reduce Spam & Phishing With DMARC

Providers of more than 3 billion email boxes have taken up a new Internet protocol to help put trust back into electronic messaging.

While email is a mission-critical communication channel for most companies, it has also become an untrusted one. Thanks to spam and phishing scams, users are taught to be wary of incoming messages. This lack of trust impacts a company’s ability to effectively communicate, market, and sell to customers via email. DMARC (Domain Message Authentication Reporting and Conformance) stands to change all that.

Providers of more than 3 billion email boxes have taken up DMARC to help put trust back into email. DMARC is an Internet protocol specification that is going through the IETF standardization process. It provides visibility into email flows, and can tell receiving servers to delete spoofed messages immediately upon receipt, thus ensuring that only legitimate emails are delivered to inboxes.

'Email Icon'. Licensed under '>CC BY-SA 3.0 via Wikimedia Commons.

Nearly every company with a domain name should consider leveraging DMARC to help reduce spam and prevent phishing attacks. Here’s how.

Getting started with DMARC is easy. Any email sender and receiver can use the DMARC rails provided by the global community. Free use of the rails provides access to the critical, raw reporting data that helps you see who is sending email and who is spoofing your brand.

To start, we recommend deploying DMARC in monitoring mode. This is how nearly 100 percent of DMARC deployments on the sender side begin. As an email sender in monitoring mode, you advertise to the Internet that you want all DMARC-compliant email receivers (such as Google, Yahoo, Hotmail, and thousands more) to send you reports on who is sending email reportedly from your domain. That’s all there is to it. No emails are flagged, blocked, rejected, or quarantined.

After you are comfortable with the data collected in monitoring mode and you know that legitimate traffic is passing authentication checks, we recommend that you change your policy to quarantine mode. In quarantine mode, suspicious messages are put aside for review. This allows you to identify all internal and authorized email servers and ensure they are configured properly.

Once you have confidence that no legitimate email is mistakenly quarantined, then you can move to a reject policy. In reject mode, spam and phishing messages are deleted before they reach their destination. It is impossible for spoofed email to be delivered to DMARC-protected email servers. This solidifies the trust relationship between domain-based email sent by you and received by DMARC-protected mailboxes.

As a final step, DMARC should be leveraged as part of a greater threat detection and mitigation strategy. DMARC provides valuable reporting information about the amount and structure of phishing attacks against a customer population. This data can be used to improve visibility into attacks, decrease takedown times and reduce losses related to account takeover. As a result, DMARC helps improve fraud intelligence around targeted attacks on your brand.

Daniel Ingevaldson has a 15-year+ career including early infosec innovators like Internet Security Systems (ISS), where he was a member of the famed "X-Force" threat and vulnerability research group, and continued on in various research leadership, engineering, consulting, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SagrikP543
50%
50%
SagrikP543,
User Rank: Apprentice
12/1/2016 | 5:24:29 AM
Create DAMRC record to stop phishing
DMARC is a great way to prevent spammers from using your domain to send email without your permission. It improves mail authentication infrastructure. DMARC allows setting rules to reject or quarantine (SPAM/junk folder) emails from sources you don't know. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/3/2015 | 10:15:07 AM
Re: DMARC is not going to stop phishing
Attackers will adapt to any countermeasure, but they will have to absorb new costs, take on new risks and settle for smaller returns.

That sounds like an effective countermeasure for the defenders, to me. Anything that makes it harder for attackers is a step in the right direction. 
dingevaldson
50%
50%
dingevaldson,
User Rank: Apprentice
3/1/2015 | 3:17:48 PM
Re: DMARC is not going to stop phishing
@MrSmith01--that may be the case because Target has published a DMARC policy.  As more and more brands do so, and move that policy from monitor mode to reject, more and more attackers will be forced to use sister/cousin domains to launch attacks. I argue in the article that this is a good thing. DMARC must be used in conjunction with domain monitoring, internet-wide brand monitoring and proactive phishing detection. When implemented correctly, the combination of these technologies decreases the life-span of attacks, decreases the odds of credential theft and in the end makes attacks less profitable.

What DMARC will do is remove the attacker's option of launching attacks that are highly effective (will fool a substantial amount of recipients) and very inexpensive (email spoofing). It is useful to view this problem through an economic lens, because in the end, it is the most relevent view. Attackers will adapt to any countermeasure, but they will have to absorb new costs, take on new risks and settle for smaller returns.
MrSmith01
50%
50%
MrSmith01,
User Rank: Apprentice
2/27/2015 | 11:51:52 PM
Re: DMARC is not going to stop phishing
Except what if the email is from [email protected] or one of a hundred other variations an attacker could set up?  Heck, I just saw a legitimate email for Target that used the domain mail-target.com.  You see, domain names don't mean jack to typical users and are even non-trivial to sort out for more technical users.  So, authenticating the domain in the from address is far less useful than you might think.  Also, many of the phishing messages I see already don't get fancy with the from address, because they don't need to.  This does make phishing a little harder, so it's good.  I do not expect it to reduce phishing in any meaningful way though, because the same douchebags that were sending messages with spoofed from addresses last week, will simply send the same exact message without spoofing the from address this week.
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/27/2015 | 1:47:36 PM
Re: DMARC is not going to stop phishing
Not sure I get what you mean. If someone using [email protected] and asking person to give me their logon credentials so I can troubleshoot something, seems like this would work fine.

If your point is someone will just hack into my computer and use my email to send this, then I get your point not much help. But I suspect more people are spoofing from other mail domains than actually hacking and remote controlling a machine inside mail domain.

I do agree with your conclusion the bad guys will adjust, they always seem to. But at least we would raise the bar a little, assuming cost of this new DMARC is neglible.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/27/2015 | 12:26:56 PM
Interesting but...
Sounds interesting and will be something I bring up with my bosses next time we have a chat about email security. However I wonder if it's not quite the holy grail it's being made out to be? I'm sure that a few changes of techniques could easily circumvent some aspects of this. 
dingevaldson
50%
50%
dingevaldson,
User Rank: Apprentice
2/27/2015 | 12:21:37 PM
Re: DMARC is not going to stop phishing
@MrSmith01--you bring up two points that I will address separately:

1. That DMARC is not going to stop phishing.

This is absolutely true and something that I say frequently. As an anti-fraud company, it is dangerous to say that any control will stop any threat because any measure is met with a countermeasure by attackers. The point I was making in the article is that it in the email sender's best interest for numerous reasons to deploy DMARC policies on their domains to permantely remove the possibility of specific types of spoofed email from being delivered the majority of global mailboxes. This will not stop phishing, but it will do more than any other technique to stop the most effective types of phishing attacks.

2. That many or most phishers don't bother to spoof the sender's domain.

This is more or less true, but I have a different view on this.  Most of the phishing attacks that my company detects and takes down are from hacked wordpress servers.  Most of these phishing attacks are poorly constructed and easy to identify.  More of the attacks are automatically generated and run by phishkits.  This is a high-volume game where attackers make a small but reliable return on their investment. However, the most effective phishing attacks (in terms of successful account takeover) are more effective, more targeted, better constructed. These attacks do often rely on domain spoofing or use of similar domains because victims still rely on the domainname displayed in their email client as a psuedo-authentication factor, even though it was never designed as such.

One point that will try to make and one that I have made in other articles about DMARC, is that online fraud mitigation and programtic risk reduction some something as complex as a massive, distributed end-user population is a long-game, it's a game of inches. Positioning DMARC as a tool to leverage against adversaries is not overselling, it is simple pragmatism. Closing the front door to attackers thereby forcing them to try to get in through the window is a "win" in this context. Anytime we can force our attackers to consume complexity that we force upon them, then we are moving in the right direction.  For all of these reasons, DMARC is one of the best tools available to move things forward, and I didn't even get a chance to discuss the huge benefit from DMARC reporting!  
MrSmith01
50%
50%
MrSmith01,
User Rank: Apprentice
2/26/2015 | 8:06:19 PM
DMARC is not going to stop phishing
"...thus ensuring that only legitimate emails are delivered to inboxes."

DMARC does not ensure that only legitimate emails are delivered, and it does little to reduce phishing attacks generally. It forces perpetrators to change their tactics, which has value for sure, but let's not over sell it. Many, perhaps most, of the spam and phishing attacks I see personally and professionally don't even bother spoofing the sender addresses.  Just take a look at your own Junk folder.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.