April 02, 2012
2 minutes on

A new way to net phish

2 minutes on: Will ad blockers be regulated?
2 minutes on: Will ad blockers be regulated?

Some 300 billion emails circulate each day, but they still can't escape a fundamental flaw – that users who receive these messages can't be certain who sent them. This underlying weakness has led to phishing and spam being persistent threats on the web for many years.

But the age-old quest for accountability in digital communication has a new champion: Domain-Based Message Authentication, Reporting and Conformance (DMARC), a new specification whose creators hope soon will be adopted by the Internet Engineering Task Force (IETF).

DMARC has a few things working in its favor that past authentication attempts didn't. For one, it is not a standalone protocol, but one that works in concert with popular security methods already adopted: DomainKeys Identified Mail (DKIM), a technique that associates a domain name to an email message, and Sender Policy Framework (SPF), which detects spoofing.

“DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms,” according to the group. “This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo and any other email receiver implementing DMARC.”

Second, DMARC has some muscle behind it. Not only are the major email providers behind the system, but so are some of the most digitally abused brands, such as PayPal. And third, DMARC gets away from the traditional approach of blacklisting. “DMARC gives us an ability not just to guess if that message is good or bad, but to actually know whether it came from a legitimate organization,” said Patrick Peterson, founding member of DMARC and CEO of email security firm Agari.

DMARC uses DKIM and SPF to vet, at the domain level, the trustworthiness of emails. Email providers can then, through their own policy and through user preferences, get as granular as they wish. That may mean simply monitoring unauthenticated messages all the way to outright blocking them.

The specification also allows senders to publicize their email handling practices, while receivers can offer feedback.

Critics of DMARC argue that as long as people are involved in the process, users still will fall for phishing and spam.

“Humans don't work the way technology works, they work the way humans work,” said Joseph Steinberg, CEO at Green Armor Solutions, an authentication vendor.
From the April 2012 Issue of SCMagazine »
Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in Features

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.

Urgent care: Safeguarding data at health care providers

Urgent care: Safeguarding data at health care providers

Health providers have pressing reasons to now embrace security, says INTEGRIS Health's John Delano. Karen Epper Hoffman reports.

Deciphering cloud strategy

Deciphering cloud strategy

There are steps security pros can take to achieve greater peace of mind with cloud implementations, reports Alan Earls.