Skip Links

Google, Microsoft, Facebook, Bank of America team to wipe out phishing

11 companies including PayPal, Fidelity and LinkedIn form DMARC.org to eradicate spoofed email

By , Network World
January 30, 2012 08:08 AM ET

Network World - Can industry heavyweights Google, PayPal, Microsoft and AOL -- along with 11 others in high-tech such as Facebook and LinkedIn, as well as the financial world's Bank of America and Fidelity Investments -- succeed in stopping phishing attacks right in their tracks? In uniting behind an effort called DMARC.org unveiled today, the group says it can through policy-based steps filter out spoofed email that attackers use for phishing.

"Whether you are an enterprise or offering a consumer service, you can apply this policy now," says Brett McDowell, senior manager of customer security initiatives at PayPal, who is chairman of the organization DMARC, which stands for "Domain-based Message Authentication, Reporting and Conformance." The DMARC.org site today published guidelines and the specification for its technology, which makes use of the well-known standards Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), two basic approaches widely used today for authenticating email.

BACKGROUND: Startup Agari debuts with security to stop fake email, phishing attacks

What DMARC adds is a policy-based framework of actions and reporting that email providers will follow to act on instructions from enterprise email managers to identify or even block spoofed mail exploiting any enterprise domain name. "We came together to produce a new standard, not a new technology," says McDowell. "This leverages SPF and DKIM, and it puts an end to spoofing, the most common form of email abuse."

Making use of the DMARC technology is as simple as asserting the protection policy that you, as the email manager, want enforced on behalf of your company, through a text record in DNS, says McDowell. According to the DMARC guidelines, these will include choices related to a domain name such as putting spoofed mail into a spam folder; throwing the spoofed mail away; or quarantining it. For those getting familiar with the whole DMARC concept, the decision could be made to simply ask for the identification of spoofed email without taking any other action. But DMARC backers say they have spent more than a year developing and testing the filtering technology, and that false positives are a rarity.

Reports about DMARC-based actions would be delivered in XML format for purposes of interoperability, and the report data would be about the domain name under care, in a bare-bones form that doesn't include any email content, says McDowell. "It's anonymized and aggregated," says McDowell. He says DMARC is taking care to be mindful of privacy issues.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News