Microsoft, Facebook, Google, Others Join Forces to Fight Phishing

DMARC, short for Domain-based Message Authentication, Reporting and Compliance, is a new approach to help fight email phishing attacks.

DMARC.org has been established as a working group that includes 15 contributors including AOL, Bank of America, Google, Microsoft, Paypal and Yahoo to create an email authentication standard via SPF and DKIM.

According to the DMARC specification, the senders of emails can provide proof to indicate that their emails are protected by SPF and DKIM and include instructions what to do with the message if the authentication fails. For example, the message can be automatically deleted by the recipient system - or simply be rejected. The idea is that unauthenticated phishing mails will not reach their recipients. The specification has been developed by the group over the past 18 months.

DMARC.org intends to deploy its technology into field usage and collect data about its efficiency. Eventually, the DMARC specification is intended for submission to the IETF for standardization. DMARC.org representatives will provide details about the specification in a panel discussion at the 2012 RSA Conference on February 29.

You need to be logged to post a comment

There are 14 Comments.

Other Comments

6

silver565 , February 1, 2012 1:41 AM

I'm pleased to see this. No more emails about winning "gold dust"!
4

sseyler , February 1, 2012 1:42 AM

silver565I'm pleased to see this. No more emails about winning "gold dust"!

Or about sharing large funds from a Nigerian prince.
7

danwat1234 , February 1, 2012 1:47 AM

silver565I'm pleased to see this. No more emails about winning "gold dust"!Or about Viagra pills that I don't need.

Or about Viagra pills that I don't need.
4

silver565 , February 1, 2012 1:52 AM

danwat1234Or about Viagra pills that I don't need.

Don't forget how you won the lottery
2

freggo , February 1, 2012 2:10 AM

If you win the Lottery you do not need Viagra to get a chick.
You just became a dream date.
Loads of money and no marital requests :-)
2

Kryan , February 1, 2012 4:12 AM

danwat1234Or about Viagra pills that I don't need.

SPEAK FOR YOURSELF! lol

but seriously...pen!s enlargement is a wish ... ./cryyyyy
-2

ithurtswhenipee , February 1, 2012 4:52 AM

The next thing they should all join forces for is to do away with free email accounts. Make a 1 time registration fee of a nominal amount like $5 or $10. This way the bots that spammers use to create thousands of [name free email provider] email accounts will either rendered useless or the process will be prohibitively expensive. Even if each address is able to send 10 or 15 emails before it gets closed down.
0

drwho1 , February 1, 2012 6:06 AM

"the senders of emails can provide proof to indicate that their emails are protected by SPF and DKIM and include instructions what to do with the message if the authentication fails. For example, the message can be automatically deleted by the recipient system - or simply be rejected."

This is the part that I'm having trouble with.

What "proof", how efficient this "proof" be?
Can they just add the "proof" anyway?
Are there any limits on this "proofs"?

Or they would simply find an exploit and it would be the same or worse.

Don't get me wrong I agree with everyone here so far....
But I would like to see more details about this.
0

dormantreign , February 1, 2012 7:46 AM

Or about that penis enlargement i also don't need.
0

JOSHSKORN , February 1, 2012 11:43 AM

But...but..where am I going to get my viagra and vicodin from, now? What bank will I store my money in without my bank of Nigeria?? And What about F#ckBook?? This makes me a sad panda.

/sarcasm
0

ibboard , February 1, 2012 3:07 PM

This wouldn't help with spam (despite the picture) or generic scams, just phishing. So we'd still get the Nigerian princes, the "male medicine", the R0lllllex and the rest. The only stuff you wouldn't get is stuff telling you to log in to [insert bank/store/social network].

TBH, this will only be half successful. SPF and DKIM lets them do this stuff already (and worrying only *some* banks do it) if and only if the receiving server checks the records *and* the sender marks a hard fail rather than a soft fail (which says "I don't think it is legit, but don't ditch it just in case"). What it will miss out on is bankofarnerica.com and the like - you can still phish with an almost-but-not-quite-identical domain name (and even have a legitimate SSL certificate for it).
0

mrmaia , February 1, 2012 4:20 PM

Instead of new authentication methods, they should invest in educating people about phishing.

Spammers will ALWAYS find a way to work around the filters, but some people will NEVER learn that that £500,000,000 Lottery prize is a scam.

The best way to stop spamming is cutting down its results.
0

nebun , February 1, 2012 7:17 PM

it's about time...i am not surprised if these companies were the main ones that started it all....this is google and microsoft we are talking about
0

hardcore_gamer , February 1, 2012 7:39 PM

KryanSPEAK FOR YOURSELF! lolbut seriously...pen!s enlargement is a wish ... ./cryyyyy

Use a blade and duct tape .

Microsoft, Facebook, Google, Others Join Forces to Fight Phishing

Tom’s guide in the world