News

Microsoft, Facebook, Google Unite To Battle Spam

• By Kevin McCaney
• 01/30/2012

Fifteen companies, including Microsoft, Yahoo, Google and Facebook, have come together to form DMARC.org (Domain-based Message Authentication, Reporting and Conformance), a technical group focusing on ways to ensure that e-mails ostensibly coming from legitimate companies are not being spoofed, according to the group's announcement.

The idea is to better identify fraudulent e-mails by better authenticating legitimate ones. If a message doesn't have the proper ID, it doesn't get through.

The DMARC specification builds on e-mail standards such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) in an attempt to create a standard, comprehensive protocol for authenticating e-mail, Adam Dawes, Google's Gmail product manager, writes in the Gmail Blog.

DMARC would ensure that e-mail providers would recognize e-mail coming from a sender is legitimate, and can reject messages that haven't been authenticated, Dawes writes.

"A DMARC policy allows a sender to indicate that their e-mails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes -- such as junk or reject the message," the group, which also includes AOL, PayPal, LinkedIn, Agari and Bank of America, says on its home page.

Several of the companies involved in DMARC, such as Google and Microsoft, often fight it out over matters, but in this case have found a common enemy worth joining forces against.

The goal is to significantly reduce the amount of fraudulent e-mail making its way not only into e-mail systems, but even into quarantine. E-mail filters catch most spam already, but someone going through their quarantined messages still might be tempted to click on a message that seems to come from their bank, or refers to their PayPal account.

And some messages from spoofed sources still get through, often trying to get people to click on links that take them to malicious sites. Sometimes the phishers' goal is to deliver ads for counterfeit products, sometimes to download botnet malware and sometimes to collect personal financial or other sensitive information.

Many of the most notable cyberattacks of recent years -- including those against Google and RSA Security -- began with phishing, or more targeted spear-phishing, e-mails.

"DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages," the group says. "DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation."

The group says it plans to collect data from using DMARC in the field and then submit it to the Internet Engineering Task Force for approval as an Internet standard.

DMARC is asking organizations interested in the project to read the specification, join the group's discussion mailing list at www.dmarc.org and begin testing and deploying e-mail authentication standards SPF, DKIM and DMARC.

Group members also will hold discussions on DMARC at two upcoming conferences in San Francisco: The Messaging Anti-Abuse Working Group General Meeting, Feb. 21-23, and the RSA Conference 2012, Feb. 27-March 2.