Google, Microsoft Team Up to Fight Phishing, Spoofed Emails
Google, Yahoo, Microsoft and other major email providers are committed to stomping out phishing attacks and other email-based Web scams.
Major brands, such as Bank of America and Facebook, joined large email providers to announce Jan. 30 the new Domain-based Message Authentication, Reporting and Conformance framework along with an associated working group, DMARC.org.
DMARC is an authentication layer for email that will make email messages trustworthy again and make phishing more difficult, Brett McDowell, chair of DMARC.org and senior manager of customer security initiatives at PayPal. Fifteen companies have joined DMARC.org to date.
DMARC will not block all malicious emails, DMARC.org participants warned. Rather, it targets a very specific form of domain-based phishing, namely messages that have been spoofed to look like it came from a specific domain. If deployed correctly by both the outgoing mail server and the recipient servers, DMARC will help organizations identify and flag messages that claim to be sent by PayPal.com but sent by a server not associated with PayPal, McDowell said.
"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said McDowell.
The draft specification creates a feedback loop between legitimate email senders, such as Facebook, LinkedIn, Bank of America and PayPal, and mail receivers, such as Google, Yahoo, Microsoft and AOL. Google has deployed it for Gmail, Yahoo for Yahoo Mail, and Microsoft for Hotmail. For users of those email services, every mail they receive purporting to be from Facebook, LinkedIn and PayPal would be authenticated because both ends of the transaction use DMARC, according to McDowell.
"Agari and our DMARC.org partners have invested the past two years to build upon industry specifications to create the most efficient and far-reaching model for eliminating domain phishing," said Patrick Peterson, CEO of Agari.
DMAR would not stop all spam or phishing, but will stop a "significant chunk" of malicious messages being sent, said Paul Midgen, senior program manager on the delivery and safety team for Windows Live Hotmail at Microsoft.
Recent Google data found that roughly 15 percent of non-spam messages in Gmail are coming from domains protected by DMARC, "which means Gmail users like you don t need to worry about spoofed messages from these senders," Adam Dawes, a Google product manager, wrote on the Google Online Security Blog.
The DMARC specification is intended to work with existing mail authentication systems such as DomainKeys Identified Mail and Sender Policy Framework and the security of the Domain Name System records, according to McDowell. Instead of replacing DKIM or SPF, DMARC creates a stream of authenticated email messages. Mail servers processing incoming mail currently do not have a reliable way to know which senders are using SPF or DKIM, making it a challenge to tell whether the originating server was legitimately associated with the domain or not, McDowell said.
DMARC adds "significant value to SPF and DKIM," said Midgen.
Since DMARC would be deployed on both ends of the email transmission, receivers know which servers are authentic. Domain owners can also write policies that instruct all mail servers that use DMARC data to automatically flag or discard messages that are sent from servers other than the ones under their control.
The phishing potential "plummets when the system just works," according to Dawes.
Mail administrators can configure DMARC to write policies for treating bad email. They can choose to let the malicious mail through, but to monitor what is happening, treat the message as suspicious and flag it for users, or reject the message outright and block it from reaching user in-boxes.