Feeds

Anti-phishing DMARC adoption gathers (free) steam

Biggest webmail names open anti-spam intelligence

Protecting against web application threats using SSL

The world's biggest names in the consumer webmail space are sharing security intelligence with businesses for free to help drive adoption of the DMARC email-authentication system.

Last month, Google, Microsoft, AOL, Facebook, and Yahoo! joined up with service providers such as PayPal to push the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, which integrate with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) systems.

The advantage of participating in DMARC for businesses is that they, as domain name holders, can specify email-handling policy via DMARC, which acts as an overlay for SPF and DKIM checking. By confirming that an email message is actually coming from a business' servers and not from a spammer, spoofed emails are cut out, and info about that spam-blocking is then fed back into the DMARC register to identify the email systems being used by the spammers. The open flow of information between DMARC and businesses ensures that both sides benefit from more efficient spam blocking.

This week, the email-intelligence firm and founding member of the DMARC consortium Agari opened up its Receiver Program, making it free to all comers. Businesses can sign up to get the latest anti-spam and anti-phishing intelligence from members of DMARC, and can use it to refine filtering techniques.

"This makes it free to implement in minutes," Agari spokeswoman Suzanne Matick told The Register. "You're automatically getting policy instead of building your own form, and the policy can be easily updated."

Giving all this intelligence away for free is a loss leader for the webmail companies, since it cuts down on both the infrastructure costs of dealing with the stuff, and on user dissatisfaction. By getting all the biggest consumer names on board, DMARC is looking for a quick route to market criticality.

George Bilbrey, president of DMARC cofounder Return Path, told The Register that having 40 per cent of consumer webmail providers getting behind the standard gave it instant momentum, but that the business market would take more time and finesse. However, the security industry had seen the benefits right away.

"I've been at a conference this week, and based on casual conversations, enterprise security vendors are very interested," he said. "They all have it on their map, and we'll see the first DMARC-spec products within a year, I suspect."

The draft DMARC specification was released on Monday and the standard's supporters are moving quickly. Paul Midgen, vice-chair of DMARC.org and senior program manager at Hotmail, told The Register that Hotmail is "almost ready to complete" on DMARC, and that progress on the final specification is well under way.

The DMARC spec is now in a public consultation phase, he explained, and the team is collecting feedback from users on what needs to be included. On a loose timeframe, the final revisions should be completed by next summer, and the goal is to move it on to the Internet Engineering Task Force (IETF) for ratification within a year after that.

"The expectation is that when we turn over control to the IETF there will be more changes, and we need to acknowledge that," Midgen said. "The DMARC group has done a very good job of being inclusive, but an IETF submission is a huge consideration and you never know what's going to happen."

He suggested businesses could get involved in a couple of ways. First, the sender side of email could be augmented with DMARC – it's a fairly simple job to get up and running. The larger the company, the more difficult the installation, as with most updates, but the long-term cost savings would be significant, Midgen asserted. Secondly, businesses could get an early heads-up on the latest security data, and at least lay the groundwork to cut lead-times for future implementation. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.