Slashdot Mirror

← Back to Stories (view on slashdot.org)

Domain Key Identified Mail vs Phishing

Posted by ryuzaki0 on from the fifty-six-thousand-spam-in-the-last-thirty-days dept.

alphadogg writes "Some of the Internet's most powerful companies — including Yahoo, Google, PayPal and AOL — are brandishing a new weapon in the ongoing battle against e-mail fraud. DKIM is an emerging e-mail authentication standard developed by the IETF. DKIM, which stands for DomainKeys Identified Mail, allows an organization to cryptographically sign outgoing e-mail to verify that it sent the message. DKIM addresses one of the Internet's biggest threats: e-mail fraud. As much as 80% of e-mail that purports to be from leading brands, banks and ISPs is spoofed, according to a report released in late January by the Authentication and Online Trust Alliance (AOTA)."

7 of 180 comments (clear)

  1. How Viagra Spam Works! by webword · · Score: 2, Interesting

    So, where does that fancy new protocol standard thingy fit into this?

    http://www.modernlifeisrubbish.co.uk/images/illustrations/how-viagra-spam-works-large.png

    Another point: I read through the article. No mention of Microsoft?

    --
    How to Download YouTube Videos
  2. Revisionist history by Degrees · · Score: 3, Interesting
    From TFA:

    PayPal is deploying DKIM after already rolling out Sender Policy Framework (SPF), a complementary Microsoft-backed standard that is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to reject e-mail coming out of forged "from" addresses. Except that Microsoft shat on SPF because it was Not Invented Here. They tried to get the world to implement their Sender ID protocol instead.

    The IETF refused to ratify SPF as an official standard because it didn't have Microsoft support.

    Today, RFC 4408 is still an "experimental" protocol - due to Microsoft's hurt. Someone at Network World isn't familiar with the material they are reporting.

    I think SPF addresses a real problem, and does it well; but, my MTA vendor doesn't want to spend the programmer cycles on something non-standard (they've been accused of being non-standard in the past, and don't want to risk the accusation again). I am annoyed that something so simple and easy as SPF isn't ubiquitous yet.

    --
    "The most sensible request of government we make is not, "Do something!" But "Quit it!"
  3. Re:Useless.... by sempernoctis · · Score: 2, Interesting

    Won't this also make it harder to set up a mail server? I run a mail server at home, and I currently don't control the domain I am in, only my host. Most of the dynamic IP services out there provide support for this. When all the major players start using it, is this going to screw over people who run their own personal mail servers? Disposable addresses are a system that works completely within the existing standard for e-mail. I use them on my server, with no other filtering mechanism whatsoever, and I almost never get spam or phishing e-mails.

  4. Counter-measure by The+MAZZTer · · Score: 4, Interesting

    From: fraud-dept@interbankcorp.com
    To: joe.smith@someplace.somewhere
    Reply-To: fraud-dept.interbankcorp.com@freewebmailplace.bleh

    Hello, we at InterBankCorp have been having a problem with other people accessing your account, and transferring funds out of it. We are working to rectify this problem, and all we need from you is your username, password, and pin number to confirm that you are the legitimate holder of the account.

    You may note that this e-mail is not signed digitally, as we assured you all our communications with you would be. We are having problems with our e-mail servers, rest assured this message is legitimate as it contains our official logo. Our e-mail problems will be resolved shortly and we will go back to using digital signing to verify our authenticity with you.

    Thank you again for helping us resolve this problem with your account.

    1. Re:Counter-measure by UbuntuDupe · · Score: 0, Interesting

      Kind of reminds me of a similar thing I did to defeat an analagous countermeasure in Second Life. Basically, I tried to spoof another user and make it look like he made offensive remarks. In SL, you can create objects and give them arbitrary names, and have them talk. So, you can name them after other users and make it look like they're saying stuff that they're really not. What does SL do about this? Well, text from objects saying stuff is green, while text from humans saying stuff is white.

      Well, I defeated that countermeasure just like you did there. Once I named the object after another player, the first thing I did was say:

      "Omg guys guys, check this out! I can make my text green! This is so awesome! I totally didn't know you could change the color of your text. I'm just going to do this from now on!" (Of course I waited till he was afk.)

      *Then* I went on and put words in his mouth.

      Fortunately, I was ethical/felt guilty/was squealing with laughter at my genious so much that I almost immediately revealed what I had done. But, same concept, the systems are vulnerable just the same.

      --
      Apology to Ubuntu forum.
  5. Re:Oblig by JaredOfEuropa · · Score: 1, Interesting

    Read the article again. I don't think any of the items you've ticked on this list really apply to the proposed solution, which in this article is targeting phishing attempts, but can work against spam as well.

    Besides, I think this form by now deserves an automatic -5 Stale and patently unfunny.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  6. is this really a new concept? by Anonymous Coward · · Score: 1, Interesting

    Correct me if I am wrong, but how is this different than a pgp key signature?