Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/27/2012
08:09 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google, Microsoft Say DMARC Spec Stops Phishing

New email authentication framework called DMARC, backed by major email and security tool providers, aims to make spoofed domains in messages a thing of the past.

Leading free email providers AOL, Google, Microsoft, and Yahoo have banded together with financial, social media, and message security companies to make it easier to verify the authenticity of email messages.

Together, the companies on Monday announced the formation of DMARC.org, an organization that aspires to make email more trustworthy and phishing more difficult. DMARC.org will promote the DMARC specification, which describes how email senders should authenticate messages, how they should communicate their authentication practices, and how message recipients can discover and implement sender policies.

The acronym stands for domain-based message authentication, reporting, and conformance. Think of it as a set of rules that can make email more secure.

"It's a specification that the DMARC.org group has worked on over the last 18 months to produce," said Google product manager Adam Dawes in a phone interview. "It's a proposed mechanism by which senders and receivers can work together to fight phishing, and to lock down and prevent abuse of domains in the email channel."

[ Find out how the cloud can help security. Read Stolen iPhone Saved By iCloud. ]

Malicious email senders can easily make their messages appear to come from someone else's Internet domain, and such messages often are used for phishing--attempts to dupe message recipients into providing sensitive information under false pretenses or through malware.

According to the Anti-Phishing Working Group, there are presently about 20,000 to 25,000 unique phishing campaigns every month, each targeting hundreds of thousands to millions of email users. And thousands of fake phishing websites are set up every day.

Those involved in DMARC have a stake in making email a better experience. Dawes said that being duped by a phishing message often leads to compromises at multiple online services, because people tend to use the same password across different websites. Losing control of one's account, he said, "is one of the worst experiences that a user can have. If that happens because someone received a phishing message in his or her Gmail inbox, that's a terrible Google experience. Users rely on us to protect them against those threats."

In addition to AOL, Google, Microsoft, and Yahoo, other organizations participating in the DMARC group include financial companies Bank of America, Fidelity Investments, and PayPal; social media companies American Greetings, Facebook, and LinkedIn; and email security companies Agari, Cloudmark, eCert, Return Path, and Trusted Domain Project.

To fight phishing, various forms of email authentication are available, such as SPF, DKIM, and Sender ID. But there's no common standard. As a result, companies that authenticate their email have to coordinate with email providers to make sure that everyone is on the same page when it comes to which messages should be discarded for lack of authentication. PayPal began doing this with email providers in 2007, but approaching each email provider individually isn't ideal. DMARC isn't intended to replace existing specifications, but rather to tie them together.

"We view this as adding significant value to SPF and DKIM," said Microsoft engineer Paul Midgen.

The DMARC framework offers a way to formalize and automate message authentication processes and reporting so that security scales.

"What DMARC now allows is for any domain owner to have control over unauthenticated messages in the Gmail inbox," said Dawes. And the same holds true for inboxes operated by other email providers.

Agari, an email security provider, implemented DMARC last year and subsequently partnered with AOL, Google, Microsoft, and Yahoo. The company's Email Trust Fabric adds value to DMARC by turning raw DMARC data into actionable reports, to help companies understand their email infrastructure and message deliverability. Agari claims it has rejected approximately 4 billion threat messages since the technology was initially deployed in January 2011.

"For me, Monday is going to be one of the most auspicious days in the history of Internet security," said Agari founder and CEO Patrick Peterson in a phone interview in advance of DMARC's launch. "People will be able to send a message and recipients will be able to know where it came from."

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/31/2012 | 12:49:01 AM
re: Google, Microsoft Say DMARC Spec Stops Phishing
This is a great step. The key will be the extent of adoption. There is still though the issue of people using similar domain names.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28452
PUBLISHED: 2021-01-20
This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request ...
CVE-2020-28483
PUBLISHED: 2021-01-20
This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
CVE-2021-21269
PUBLISHED: 2021-01-20
Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more f...
CVE-2020-25686
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same...
CVE-2020-25687
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This...