Feeds

Anti-phishing DMARC adoption gathers (free) steam

Biggest webmail names open anti-spam intelligence

3 Big data security analytics techniques

The world's biggest names in the consumer webmail space are sharing security intelligence with businesses for free to help drive adoption of the DMARC email-authentication system.

Last month, Google, Microsoft, AOL, Facebook, and Yahoo! joined up with service providers such as PayPal to push the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, which integrate with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) systems.

The advantage of participating in DMARC for businesses is that they, as domain name holders, can specify email-handling policy via DMARC, which acts as an overlay for SPF and DKIM checking. By confirming that an email message is actually coming from a business' servers and not from a spammer, spoofed emails are cut out, and info about that spam-blocking is then fed back into the DMARC register to identify the email systems being used by the spammers. The open flow of information between DMARC and businesses ensures that both sides benefit from more efficient spam blocking.

This week, the email-intelligence firm and founding member of the DMARC consortium Agari opened up its Receiver Program, making it free to all comers. Businesses can sign up to get the latest anti-spam and anti-phishing intelligence from members of DMARC, and can use it to refine filtering techniques.

"This makes it free to implement in minutes," Agari spokeswoman Suzanne Matick told The Register. "You're automatically getting policy instead of building your own form, and the policy can be easily updated."

Giving all this intelligence away for free is a loss leader for the webmail companies, since it cuts down on both the infrastructure costs of dealing with the stuff, and on user dissatisfaction. By getting all the biggest consumer names on board, DMARC is looking for a quick route to market criticality.

George Bilbrey, president of DMARC cofounder Return Path, told The Register that having 40 per cent of consumer webmail providers getting behind the standard gave it instant momentum, but that the business market would take more time and finesse. However, the security industry had seen the benefits right away.

"I've been at a conference this week, and based on casual conversations, enterprise security vendors are very interested," he said. "They all have it on their map, and we'll see the first DMARC-spec products within a year, I suspect."

The draft DMARC specification was released on Monday and the standard's supporters are moving quickly. Paul Midgen, vice-chair of DMARC.org and senior program manager at Hotmail, told The Register that Hotmail is "almost ready to complete" on DMARC, and that progress on the final specification is well under way.

The DMARC spec is now in a public consultation phase, he explained, and the team is collecting feedback from users on what needs to be included. On a loose timeframe, the final revisions should be completed by next summer, and the goal is to move it on to the Internet Engineering Task Force (IETF) for ratification within a year after that.

"The expectation is that when we turn over control to the IETF there will be more changes, and we need to acknowledge that," Midgen said. "The DMARC group has done a very good job of being inclusive, but an IETF submission is a huge consideration and you never know what's going to happen."

He suggested businesses could get involved in a couple of ways. First, the sender side of email could be augmented with DMARC – it's a fairly simple job to get up and running. The larger the company, the more difficult the installation, as with most updates, but the long-term cost savings would be significant, Midgen asserted. Secondly, businesses could get an early heads-up on the latest security data, and at least lay the groundwork to cut lead-times for future implementation. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.