Google, Microsoft and Facebook Battle Phishing with New Specification

Major Internet companies including Google, Microsoft, and Facebook have announced a new specification to streamline the way email providers work out whether messages are part of phishing attacks using spoofed domain addresses.

In testing for two years and called DMARC (Domain-based Message Authentication, Reporting & Conformance), the initiative is really an attempt to impose a single set of policies on the sometimes arbitrary way that way companies separate the good email from the bad.

Almost a decade after the industry last set out to solve the problem with DomainKeys Identified Mail (DKIM) and Microsoft’s Sender Policy Framework (SPF, later called Sender ID), DMARC’s arrival is an acceptance that these have not been enough – phishing attacks, in which criminals impersonate the domains of well-known companies in order to get users to click on malicious links, remain a major scourge.

Conversely, large corporate such as banks are often unwilling to communicate by email at all lest it make consumers more likely to fall for phishing attacks.

Under DMARC, email hubs would use a protocol to communicate which email authentication technologies they were using, giving recipients a high degree of certainty as to an email’s provenance.

This sounds obvious, but many of today’s bulk email providers apply security as islands cut off from their peers in which they secure outgoing email traffic without being able to trust what is incoming to their servers. Policies and algorithms for doing the latter vary.

Importantly, organisations whose domains are being impersonated as part of phishing attacks – that is to say almost every company of any size – never get to hear from their peers that this is happening.

By cementing trust between large email companies, DMARC hopes to slowly but surely drive spammers and phishing scammers away from their domains towards less convincing ones. It doesn’t mean, therefore, that phishing attacks will stop merely that they will be easier to spot both for anti-spam filters and recipients.

“Industry groups come and go, and it’s not always easy to tell at the beginning which ones are actually going to generate good solutions,” admitted Adam Dawes of Google, one company that has been trialling DMARC for some time.

“When the right contributors come together to solve real problems, though, real things happen. That’s why we’re particularly optimistic about today’s announcement of DMARC.org,” he said.

Google already endoreses the Domain assurance anti-phishing system from fellow DMARC member, Return Path, developed in parallel to the new specification as it emerged from a partnership between Google, Yahoo and PayPal five years ago.

A large part of DMARC’s success will depend on spreading it beyond the core of large companies currently endorsing it. ISPs also need to come onboard, which will take time.

Other participants include Bank of America, PayPal, Yahoo, LinkedIn, Fidelity Investments, AOL, Agari and American Greetings as well as email security company CloudMark. Industry research group the Trusted Domain Project (TDP) completes the list.