DMARC Should Reduce Phishing Scams

Major technology vendors announced the formation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) system today. This new email authentication framework should reduce the number of phishing scams that try to trick users into thinking emails are from someone else.

by / January 30, 2012 0

Major technology vendors announced the formation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) system today. This new email authentication framework should reduce the number of phishing scams that try to trick users into thinking emails are from someone else. Participating vendors, many of which provide free email services, aim to make spoofed domains in messages a thing of the past.

Leading technology companies like Google, Microsoft, AOL and Facebook are participating in the system – which is explained and can be examined in detail at DMARC.org. Here is a quote from the new website:

“DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.”

Coverage of the press announcement was widespread today with numerous headlines all over the Internet  such as:

USA TodayTech companies team up to combat e-mail scams

Information Week - Google, Microsoft Say DMARC Spec Stops Phishing and

Tech Crunch - DMARC Promises a World Of Less Phishing

Here’s an excerpt from the Tech Crunch article:

“The move follows an announcement in November that Google, Microsoft, Yahoo, AOL, and Agari were authenticating emails from Facebook, YouSendIt, and other e-commerce companies and social networks.

DMARC said the anti-phishing initiative has actually been going on for the last 18 months.

According to Google, about 15 percent of all e-mail comes from members of DMARC, but by published their DMARC records, these records can not be domain spoofed. This makes the anti-phising group much more effective at stopping criminal gangs from using phasing to dupe unsuspecting users.”

Are there any downsides to DMARC? Not really, in my opinion.

However, as many at Slashdot pointed out in their comments today, this system still doesn’t stop unwanted spam from within gmail or yahoo (or wherever) – it only ensures that the email is not from a fake domain. The benefit is tied to ensuring that the domain is genuine – which is a huge step forward – but not a complete solution. So as the critics point out, we still need to be careful to esnure that you are reading a message from the correct user. For example: there are mutiple people with the same name in Yahoo mail.

Nevertheless, I agree with the major vendors that this is an important step forward in fighting phishing attacks.

What are your thoughts on this announcement?

 

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso