Feeds

Anti-phishing DMARC adoption gathers (free) steam

Biggest webmail names open anti-spam intelligence

High performance access to file storage

The world's biggest names in the consumer webmail space are sharing security intelligence with businesses for free to help drive adoption of the DMARC email-authentication system.

Last month, Google, Microsoft, AOL, Facebook, and Yahoo! joined up with service providers such as PayPal to push the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, which integrate with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) systems.

The advantage of participating in DMARC for businesses is that they, as domain name holders, can specify email-handling policy via DMARC, which acts as an overlay for SPF and DKIM checking. By confirming that an email message is actually coming from a business' servers and not from a spammer, spoofed emails are cut out, and info about that spam-blocking is then fed back into the DMARC register to identify the email systems being used by the spammers. The open flow of information between DMARC and businesses ensures that both sides benefit from more efficient spam blocking.

This week, the email-intelligence firm and founding member of the DMARC consortium Agari opened up its Receiver Program, making it free to all comers. Businesses can sign up to get the latest anti-spam and anti-phishing intelligence from members of DMARC, and can use it to refine filtering techniques.

"This makes it free to implement in minutes," Agari spokeswoman Suzanne Matick told The Register. "You're automatically getting policy instead of building your own form, and the policy can be easily updated."

Giving all this intelligence away for free is a loss leader for the webmail companies, since it cuts down on both the infrastructure costs of dealing with the stuff, and on user dissatisfaction. By getting all the biggest consumer names on board, DMARC is looking for a quick route to market criticality.

George Bilbrey, president of DMARC cofounder Return Path, told The Register that having 40 per cent of consumer webmail providers getting behind the standard gave it instant momentum, but that the business market would take more time and finesse. However, the security industry had seen the benefits right away.

"I've been at a conference this week, and based on casual conversations, enterprise security vendors are very interested," he said. "They all have it on their map, and we'll see the first DMARC-spec products within a year, I suspect."

The draft DMARC specification was released on Monday and the standard's supporters are moving quickly. Paul Midgen, vice-chair of DMARC.org and senior program manager at Hotmail, told The Register that Hotmail is "almost ready to complete" on DMARC, and that progress on the final specification is well under way.

The DMARC spec is now in a public consultation phase, he explained, and the team is collecting feedback from users on what needs to be included. On a loose timeframe, the final revisions should be completed by next summer, and the goal is to move it on to the Internet Engineering Task Force (IETF) for ratification within a year after that.

"The expectation is that when we turn over control to the IETF there will be more changes, and we need to acknowledge that," Midgen said. "The DMARC group has done a very good job of being inclusive, but an IETF submission is a huge consideration and you never know what's going to happen."

He suggested businesses could get involved in a couple of ways. First, the sender side of email could be augmented with DMARC – it's a fairly simple job to get up and running. The larger the company, the more difficult the installation, as with most updates, but the long-term cost savings would be significant, Midgen asserted. Secondly, businesses could get an early heads-up on the latest security data, and at least lay the groundwork to cut lead-times for future implementation. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.