Feeds

Anti-phishing DMARC adoption gathers (free) steam

Biggest webmail names open anti-spam intelligence

Seven Steps to Software Security

The world's biggest names in the consumer webmail space are sharing security intelligence with businesses for free to help drive adoption of the DMARC email-authentication system.

Last month, Google, Microsoft, AOL, Facebook, and Yahoo! joined up with service providers such as PayPal to push the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, which integrate with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) systems.

The advantage of participating in DMARC for businesses is that they, as domain name holders, can specify email-handling policy via DMARC, which acts as an overlay for SPF and DKIM checking. By confirming that an email message is actually coming from a business' servers and not from a spammer, spoofed emails are cut out, and info about that spam-blocking is then fed back into the DMARC register to identify the email systems being used by the spammers. The open flow of information between DMARC and businesses ensures that both sides benefit from more efficient spam blocking.

This week, the email-intelligence firm and founding member of the DMARC consortium Agari opened up its Receiver Program, making it free to all comers. Businesses can sign up to get the latest anti-spam and anti-phishing intelligence from members of DMARC, and can use it to refine filtering techniques.

"This makes it free to implement in minutes," Agari spokeswoman Suzanne Matick told The Register. "You're automatically getting policy instead of building your own form, and the policy can be easily updated."

Giving all this intelligence away for free is a loss leader for the webmail companies, since it cuts down on both the infrastructure costs of dealing with the stuff, and on user dissatisfaction. By getting all the biggest consumer names on board, DMARC is looking for a quick route to market criticality.

George Bilbrey, president of DMARC cofounder Return Path, told The Register that having 40 per cent of consumer webmail providers getting behind the standard gave it instant momentum, but that the business market would take more time and finesse. However, the security industry had seen the benefits right away.

"I've been at a conference this week, and based on casual conversations, enterprise security vendors are very interested," he said. "They all have it on their map, and we'll see the first DMARC-spec products within a year, I suspect."

The draft DMARC specification was released on Monday and the standard's supporters are moving quickly. Paul Midgen, vice-chair of DMARC.org and senior program manager at Hotmail, told The Register that Hotmail is "almost ready to complete" on DMARC, and that progress on the final specification is well under way.

The DMARC spec is now in a public consultation phase, he explained, and the team is collecting feedback from users on what needs to be included. On a loose timeframe, the final revisions should be completed by next summer, and the goal is to move it on to the Internet Engineering Task Force (IETF) for ratification within a year after that.

"The expectation is that when we turn over control to the IETF there will be more changes, and we need to acknowledge that," Midgen said. "The DMARC group has done a very good job of being inclusive, but an IETF submission is a huge consideration and you never know what's going to happen."

He suggested businesses could get involved in a couple of ways. First, the sender side of email could be augmented with DMARC – it's a fairly simple job to get up and running. The larger the company, the more difficult the installation, as with most updates, but the long-term cost savings would be significant, Midgen asserted. Secondly, businesses could get an early heads-up on the latest security data, and at least lay the groundwork to cut lead-times for future implementation. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.