DMARC is having a positive impact on reducing spoofed email

What appears to be a package tracking notice from a logistics company could really harbor a link to a drive-by download of malware. But now there is a global industry standard called DMARC that is designed to drastically reduce (and hopefully one day eliminate) phishing emails that spoof the real sources of the malicious mail.

Lately I’ve noticed changes in the email messages trapped by my spam filter. Not long ago, there used to be quite a few suspicious messages that appeared to be from PayPal, FedEx and NACHA.org, the electronic payments clearinghouse. Since I rarely do business with any of those organizations, I could simply ignore the messages—especially since Postini singled them out as either spam or malicious messages. It’s a good bet that the messages weren’t really coming from those companies anyway.

In recent months, however, I’ve noticed a dramatic drop in spoofed messages from those businesses, and for good reason. PayPal, FedEx and NACHA.org have all implemented DMARC, the global standard for email authentication. DMARC stands for Domain-based Message Authentication, Reporting and Conformance. (See DMARC email standards help prevent brand abuse in phishing campaigns.)

DMARC serves two purposes. One is to initiate a policy mechanism that tells email service providers like Microsoft, Gmail, AOL and Yahoo that they should reject email messages from a specific organization’s domain name(s) that don’t adhere to the SPF (Sender Policy Framework) and the DKIM (DomainKeys Identified Mail) standards. The other function DMARC provides is to yield reports that allow a message sender to have visibility into everyone who is sending mail using that company’s brand (e.g., PayPal.com or Fedex.com). Through these reports, the brand owner can see everything that is legitimately being sent on their behalf, such as all of their legitimate corporate mail and affiliate mail. More importantly, they also can see anybody who is potentially out there sending malicious email on their behalf, so they can see where a spoofed email is coming from. They get visibility into what the message looks like as well.

According to the email security company Agari, DMARC is beginning to have a positive impact on cleaning up junk emails. This is good for both consumers as well as the companies whose brands have been abused for phishing and other malicious email campaigns. Let me give you an example of what DMARC has done for just one bank that recently engaged Agari to implement and manage DMARC on its behalf.

Prior to implementing DMARC, this large retail bank had some 20 million phishing emails attempted against its domain names per month. After DMARC, that volume dropped to under half a million attempts per month, and of those, about 80% are being blocked before they can reach their intended targets. The actual number of phishing attempts getting delivered is now down to about 100,000 per month. (The number hasn’t gone to zero yet because there are still some email service providers that haven’t implemented DMARC yet.)

While this is great news for that bank and its customers, it’s bad news for companies that haven’t yet implemented DMARC. You see, if cyber criminals can’t spoof this bank’s domain anymore, they’ll move on to some other company’s domain. Maybe even yours.

Agari is in the thick of this battle. Large companies – especially retail brands that have a heavy dependence on sending out marketing and communication emails to customers – engage Agari to help implement the DMARC policies; receive the raw reports about who is sending email on their behalf; consolidate and analyze this data; and provide intelligence on abuses, such as which URLs are hosting malicious websites that should be taken down.

Agari has started to publish what it learns about email abuse in a quarterly report it calls the TrustIndex. This report looks at key industry sectors and assesses how well each sector as a whole is doing, as well as how individual players in each sector fairs in terms of consumers and customers being able to trust their email.

The idea is to help people make sound judgments about which companies and emails to trust, and also to provide role models for companies that want to mimic what their sector’s category leaders are doing. Here are just a few interesting insights from the 2013 Q2 Agari TrustIndex report, which tracks results in the following business sectors: financial services, e-commerce, social media, travel, logistics and gaming.

  • The market sector that has built the most trust in its email (and presents a low level of risk to consumers) is social media. Facebook, Twitter, LinkedIn, Pinterest, Google—nearly all of the major social brands have a priority to protect their email channel and deploy standards such as DMARC.
  • The industry with the lowest level of trust is travel, and in particular airlines within that sector. Delta Airlines has made great strides in protecting its email domain, but I’m still getting emails instructing me to “click here” to collect my receipt for travel on American Airlines. Curious, since I haven’t flown American Airlines in more than a decade.
  • From Q1 to Q2, the financial services sector saw a hug increase in malicious email activity. Agari says that consumers are seven times more likely to receive a malicious email that appears to be from their bank than from any other type of company. Financial institutions have a larger stake than most companies in email scams because courts continue to require banks to cover the monetary losses from phishing attacks.

Agari reports that 80% of email receivers in the U.S. (i.e., Gmail, Microsoft, etc.) have implemented DMARC. But this fact alone won’t protect consumers from phishing attacks until the email sending side – companies like yours – takes action, too. Companies can engage vendors like Agari to manage DMARC for them, or they can go it alone. It’s not difficult, just time consuming—especially when it comes to receiving and making sense of the email transmittal reports. I’ll cover the implementation steps in a future newsletter.

Linda Musthaler is a Principal Analyst with Essential Solutions Corporation.  Write to her at LMusthaler@essential-iws.com.

Essential Solutions Corp. researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.