Anti-Phishing Standard Progresses

Tuesday, February 28, 2012 @ 01:02 PM gHale


The world’s biggest names in the consumer webmail space are sharing security intelligence with businesses for free to help drive adoption of the DMARC email-authentication standard.

Last month, Google, Microsoft, AOL, Facebook, and Yahoo! joined with service providers such as PayPal to push the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, which integrate with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) systems.

RELATED STORIES
Malware has Bots Acting as C&C Server
Stealth Trojan Hijacks DLL File
New Bot a Phishing Attack
DNS Flaw has Users Seeing Ghosts

The advantage of participating in DMARC for businesses is they, as domain name holders, can specify email-handling policy via DMARC, which acts as an overlay for SPF and DKIM checking. By confirming an email message is actually coming from a business server and not from a spammer, spoofed emails end up cut out, and info about that spam-blocking then feeds back into the DMARC register to identify the email systems used by the spammers. The open flow of information between DMARC and businesses ensures both sides benefit from more efficient spam blocking.

This week, the email-intelligence firm and founding member of the DMARC consortium Agari opened up its Receiver Program, making it free to all comers. Businesses can sign up to get the latest anti-spam and anti-phishing intelligence from members of DMARC, and can use it to refine filtering techniques.

“This makes it free to implement in minutes,” said Agari spokeswoman Suzanne Matick. “You’re automatically getting policy instead of building your own form, and the policy can be easily updated.”

Giving all this intelligence away for free is a loss leader for the webmail companies, since it cuts down on the infrastructure costs of dealing with the stuff, and on user dissatisfaction. By getting all the biggest consumer names on board, DMARC is looking for a quick route to market criticality.

George Bilbrey, president of DMARC cofounder Return Path, said having 40 percent of consumer webmail providers getting behind the standard gave it instant momentum, but the business market would take more time and finesse. However, the security industry had seen the benefits right away.

The draft DMARC specification released Monday and the standard’s supporters are moving quickly. Paul Midgen, vice-chair of DMARC.org and senior program manager at Hotmail, said Hotmail is “almost ready to complete” on DMARC, and that progress on the final specification is well under way.

The DMARC spec is now in a public consultation phase, he said, and the team is collecting feedback from users. On a loose timeframe, the final revisions should be ready by next summer, and the goal is to move it on to the Internet Engineering Task Force (IETF) for ratification within a year after that.



Leave a Reply

You must be logged in to post a comment.