Slashdot Mirror

← Back to Stories (view on slashdot.org)

Domain Key Identified Mail vs Phishing

Posted by ryuzaki0 on from the fifty-six-thousand-spam-in-the-last-thirty-days dept.

alphadogg writes "Some of the Internet's most powerful companies — including Yahoo, Google, PayPal and AOL — are brandishing a new weapon in the ongoing battle against e-mail fraud. DKIM is an emerging e-mail authentication standard developed by the IETF. DKIM, which stands for DomainKeys Identified Mail, allows an organization to cryptographically sign outgoing e-mail to verify that it sent the message. DKIM addresses one of the Internet's biggest threats: e-mail fraud. As much as 80% of e-mail that purports to be from leading brands, banks and ISPs is spoofed, according to a report released in late January by the Authentication and Online Trust Alliance (AOTA)."

2 of 180 comments (clear)

  1. Revisionist history by Degrees · · Score: 3, Interesting
    From TFA:

    PayPal is deploying DKIM after already rolling out Sender Policy Framework (SPF), a complementary Microsoft-backed standard that is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to reject e-mail coming out of forged "from" addresses. Except that Microsoft shat on SPF because it was Not Invented Here. They tried to get the world to implement their Sender ID protocol instead.

    The IETF refused to ratify SPF as an official standard because it didn't have Microsoft support.

    Today, RFC 4408 is still an "experimental" protocol - due to Microsoft's hurt. Someone at Network World isn't familiar with the material they are reporting.

    I think SPF addresses a real problem, and does it well; but, my MTA vendor doesn't want to spend the programmer cycles on something non-standard (they've been accused of being non-standard in the past, and don't want to risk the accusation again). I am annoyed that something so simple and easy as SPF isn't ubiquitous yet.

    --
    "The most sensible request of government we make is not, "Do something!" But "Quit it!"
  2. Counter-measure by The+MAZZTer · · Score: 4, Interesting

    From: fraud-dept@interbankcorp.com
    To: joe.smith@someplace.somewhere
    Reply-To: fraud-dept.interbankcorp.com@freewebmailplace.bleh

    Hello, we at InterBankCorp have been having a problem with other people accessing your account, and transferring funds out of it. We are working to rectify this problem, and all we need from you is your username, password, and pin number to confirm that you are the legitimate holder of the account.

    You may note that this e-mail is not signed digitally, as we assured you all our communications with you would be. We are having problems with our e-mail servers, rest assured this message is legitimate as it contains our official logo. Our e-mail problems will be resolved shortly and we will go back to using digital signing to verify our authenticity with you.

    Thank you again for helping us resolve this problem with your account.