Can industry heavyweights Google, PayPal, Microsoft, and AOL—along with 11 others in high-tech such as Facebook and LinkedIn, as well as the financial world’s Bank of America and Fidelity Investments—succeed in stopping phishing attacks right in their tracks? In uniting behind an effort called DMARC.org unveiled today, the group says it can through policy-based steps filter out spoofed email that attackers use for phishing.
“Whether you are an enterprise or offering a consumer service, you can apply this policy now,” says Brett McDowell, senior manager of customer security initiatives at PayPal, who is chairman of the organization DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance.” The DMARC.org site today published guidelines and the specification for its technology, which makes use of the well-known standards Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), two basic approaches widely used today for authenticating email.
What DMARC adds is a policy-based framework of actions and reporting that email providers will follow to act on instructions from enterprise email managers to identify or even block spoofed mail exploiting any enterprise domain name. “We came together to produce a new standard, not a new technology,” says McDowell. “This leverages SPF and DKIM, and it puts an end to spoofing, the most common form of email abuse.”
Making use of the DMARC technology is as simple as asserting the protection policy that you, as the email manager, want enforced on behalf of your company, through a text record in DNS, says McDowell. According to the DMARC guidelines, these will include choices related to a domain name such as putting spoofed mail into a spam folder; throwing the spoofed mail away; or quarantining it. For those getting familiar with the whole DMARC concept, the decision could be made to simply ask for the identification of spoofed email without taking any other action. But DMARC backers say they have spent more than a year developing and testing the filtering technology, and that false positives are a rarity.
Reports about DMARC-based actions would be delivered in XML format for purposes of interoperability, and the report data would be about the domain name under care, in a bare-bones form that doesn’t include any email content, says McDowell. “It’s anonymized and aggregated,” says McDowell. He says DMARC is taking care to be mindful of privacy issues.
Enterprises may want to take a do-it-yourself approach to DMARC implementation. But there are now two services, Agari and Return Path, which participated in the DMARC effort, which are offering services to support it.
At a price said to start at a few thousand dollars per month, Agari, for example, would aggregate the XML-based files each day, which might be tens of megabytes of data, and analyze it for evidence of misuse of domain names. Agari CEO Patrick Peterson says the service can analyze DMARC data to answer, “What are the bad guys doing? Are they pretending to be you? Here is a bunch of mail purporting to be from you, but is it?” He notes there are instances where there is legitimate third-party use of your domain for email in contract arrangements.
Agari, which says it has already processed a billion DMARC messages (it recently announced Facebook as a customer), today is posting tips on how network managers could implement DMARC on their own. Peterson says this is going to involve the DNS administrator knowing how to aggregate about 20 or 30 files every day in a database and then interpreting the security meaning of large amounts of data.
Return Path also describes its service Domain Assurance as receiving aggregate data and analyzing real-time email message samples with evidence of phishing and fraudulent activity and alerting of such activity based on the policy set by the customer. Return Path also has relationships with email providers outside the DMARC alliance.
With the idea of DMARC being new, many email managers, in coordination with their IT and security departments and the business as a whole, will undoubtedly take small steps at first to find out how DMARC works before applying policy-based rules, McDowell points out.
“DMARC provides visibility into whether you are being successful in applying DKIM and SPF,” says McDowell. Once enterprise email managers believe they have successfully implemented either DKIM or SPF, they can start to apply the DMARC anti-phishing policies incrementally to the point where they could even instruct email providers to block email exploiting their domain. “We’ll interpret that by records published by the domain owner,” says Paul Midgen, senior program manager, delivery and safety team, for Windows Live Hotmail.
DMARC is inviting feedback on its foundation technology and implementation ideas, with the goal that it wants to eventually be able to submit it to the IETF. Agari says the technology represents a contribution from all the DMARC participants and is considered open.
The Financial Services Roundtable, which represents about 100 financial institutions, has a technology-policy division called BITS which is actively backing the DMARC proposal. “In the email environment, our concern is someone phishing or imitating the financial institution,” says BITS President Paul Smocer. He says BITS hopes DMARC will work for an entire “ecosystem of email providers.”
“Our goal with the launch of DMARC is we want people to start using it, and improve their email authentication infrastructure,” says Adam Dawes, product manager at Google’s mail team. “The most widely used tactic for phishing is domain spoofing. It’s extremely easy for phishers to take advantage.”He said Google is already blocking fraudulent messages based on cooperation through DMARC with Facebook, LinkedIn and PayPal, for example. He said any mailbox hosted by Google has DMARC capabilities with them. Google itself has implemented DMARC “so we can report fraudulent messages that claim to come from Google.com.”