Google, Microsoft, Facebook, 12 others gang up on phishers
- By Kevin McCaney
- Jan 30, 2012
In a somewhat rare display of teamwork, 15 companies, including heavyweights Google, Microsoft, Facebook and Yahoo, have formed an alliance aimed at reducing the amount of spam and phishing e-mails that find their way into people’s inboxes.
The companies have formed DMARC.org (the acronym standing for Domain-based Message Authentication, Reporting and Conformance), a technical working group developing specifications to ensure that e-mails ostensibly coming from legitimate companies are not being spoofed, according to the group’s announcement.
In essence, the idea is to better identify fraudulent e-mails by better authenticating legitimate ones. If a message doesn’t have the proper ID, it doesn’t get through.
5 ways to avoid getting caught in phishing scams
Phishing economy: Why tiny Tokelau is 3rd largest country domain
The DMARC specification builds on e-mail standards such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) in an attempt to create a standard, comprehensive protocol for authenticating e-mail, Adam Dawes, Google’s Gmail product manager, writes in the Gmail Blog.
DMARC would ensure that e-mail providers would recognize e-mail coming from a sender is legitimate, and can reject messages that haven’t been authenticated, Dawes writes.
“A DMARC policy allows a sender to indicate that their e-mails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes — such as junk or reject the message,” the group, which also includes AOL, PayPal, LinkedIn, Agari and Bank of America, says on its home page.
Several of the companies involved in DMARC, such as Google and Microsoft, often fight it out over matters, but in this case have found a common enemy worth joining forces against.
The goal is to significantly reduce the amount of fraudulent e-mail making its way not only into e-mail systems, but even into quarantine. E-mail filters catch most spam already, but someone going through their quarantined messages still might be tempted to click on a message that seems to come from their bank, or refers to their PayPal account.
And some messages from spoofed sources still get through, often trying to get people to click on links that take them to malicious sites. Sometimes the phishers’ goal is to deliver ads for counterfeit products, sometimes to download botnet malware and sometimes to collect personal financial or other sensitive information.
Many of the most notable cyberattacks of recent years — including those against Google and RSA Security — began with phishing, or more targeted spear-phishing, e-mails.
“DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages,” the group says. “DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.”
The group says it plans to collect data from using DMARC in the field and then submit it to the Internet Engineering Task Force for approval as an Internet standard.
DMARC is asking organizations interested in the project to read the specification, join the group’s discussion mailing list at www.dmarc.org and begin testing and deploying e-mail authentication standards SPF, DKIM and DMARC.
Group members also will hold discussions on DMARC at two upcoming conferences in San Francisco: The Messaging Anti-Abuse Working Group General Meeting, Feb. 21-23, and the RSA Conference 2012, Feb. 27-March 2.
Kevin McCaney is a former editor of Defense Systems and GCN.