News

Microsoft, Facebook, Google Unite To Battle Spam

Fifteen companies, including Microsoft, Yahoo, Google and Facebook, have come together to form DMARC.org (Domain-based Message Authentication, Reporting and Conformance), a technical group focusing on ways to ensure that e-mails ostensibly coming from legitimate companies are not being spoofed, according to the group's announcement.

The idea is to better identify fraudulent e-mails by better authenticating legitimate ones. If a message doesn't have the proper ID, it doesn't get through.

The DMARC specification builds on e-mail standards such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) in an attempt to create a standard, comprehensive protocol for authenticating e-mail, Adam Dawes, Google's Gmail product manager, writes in the Gmail Blog.

DMARC would ensure that e-mail providers would recognize e-mail coming from a sender is legitimate, and can reject messages that haven't been authenticated, Dawes writes.

"A DMARC policy allows a sender to indicate that their e-mails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes -- such as junk or reject the message," the group, which also includes AOL, PayPal, LinkedIn, Agari and Bank of America, says on its home page.

Several of the companies involved in DMARC, such as Google and Microsoft, often fight it out over matters, but in this case have found a common enemy worth joining forces against.

The goal is to significantly reduce the amount of fraudulent e-mail making its way not only into e-mail systems, but even into quarantine. E-mail filters catch most spam already, but someone going through their quarantined messages still might be tempted to click on a message that seems to come from their bank, or refers to their PayPal account.

And some messages from spoofed sources still get through, often trying to get people to click on links that take them to malicious sites. Sometimes the phishers' goal is to deliver ads for counterfeit products, sometimes to download botnet malware and sometimes to collect personal financial or other sensitive information.

Many of the most notable cyberattacks of recent years -- including those against Google and RSA Security -- began with phishing, or more targeted spear-phishing, e-mails.

"DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages," the group says. "DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation."

The group says it plans to collect data from using DMARC in the field and then submit it to the Internet Engineering Task Force for approval as an Internet standard.

DMARC is asking organizations interested in the project to read the specification, join the group's discussion mailing list at www.dmarc.org and begin testing and deploying e-mail authentication standards SPF, DKIM and DMARC.

Group members also will hold discussions on DMARC at two upcoming conferences in San Francisco: The Messaging Anti-Abuse Working Group General Meeting, Feb. 21-23, and the RSA Conference 2012, Feb. 27-March 2. 

About the Author

Kevin McCaney is the managing editor of Government Computer News.

Featured

  • Microsoft Issues Windows Server HTTP/2 Attack Advisory

    Microsoft issued Security Advisory ADV190005 on Wednesday concerning a potential HTTP/2 settings issue for users of Internet Information Services (IIS) on Windows Server.

  • Performing a Storage Refresh on Windows Server 2016, Part 2

    Earlier, Brien walked through the steps of preparing a physical Windows Server 2016 machine for a storage refresh. Now, he shows how to complete the process, all the way to OS restoration.

  • New Office App Coming to Windows 10 Users

    Microsoft is delivering a new Office app for Windows 10 consumer and business users over the new few weeks, according to a Wednesday announcement.

  • Microsoft Warns .NET Core 1.0 and 1.1 Losing Support in June

    Microsoft gave notice this week that .NET Core 1.0 and 1.1 will fall out of support on June 27, 2019.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.