Big Internet Players Propose DMARC Anti-Phishing Protocol

judgecorp writes "Google, Microsoft, PayPal, Facebook and others have proposed DMARC, or Domain-based Message Authentication, Reporting and Conformance, an email authentication protocol to combat phishing attacks. Authentication has been proposed before; this group of big names might get it adopted." Adds reader Trailrunner7, "The specification is the product of a collaboration among the large email receivers such as AOL, Gmail, Yahoo Mail and Hotmail, and major email senders such as Facebook, Bank of America and others, all of whom have a vested interest in either knowing which emails are legitimate or being able to prove that their messages are authentic. The DMARC specification is meant to be a policy layer that works in conjunction with existing mail authentication systems such as DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework)."

Re:Why a new protocol?

[rabbit994]

Because average users have issues with it and they are people this proposal are trying to protect.

If any security is going to happen for average user, it must be forced upon them. Otherwise, "it's too hard"

Re:We already have email authentication

[Nemilar]

The problem with PGP/signed-emails is that you're putting the burden on the user. I'm a pretty technical guy, and I don't even want to bother with it. There's no way that the average person it going to take the time to understand and implement PGP.

The proposed solution puts the burden entirely on the system and the providers, so is more likely to be adopted and actually used (and therefore, successful in its end-purpose of stopping phishing attacks).

Re:Why a new protocol?

[mlts]

PGP/gpg is ideal because it sits atop of everything else. However, most people wouldn't be bothered to generate and store securely a private key, much less build a usable WoT and making sure not just just absent-mindedly sign everyone's key that passes by.

Re:From: critical@paypal-warning.com

[hairyfeet]

As someone who works 6 days a week fixing the things let me say why this won't work....users are fucking stupid. No seriously, dumb as post,thicker than Mississippi mud, make Forest Gump look like Stephen Hawking, spend a week at any shop and see if your gob isn't permanently smacked by the level of stupid we encounter.

Oh don't get me wrong, we do our best. most of us put on free AVs and try to educate the user but frankly the shit goes in one ear and out another, here let me give an example. One of the local insurance companies has an employee we call "Velma the disaster area' for how quickly she can hose a PC. Now the insurance company won't fire her because she has a mind like a steel trap for insurance, so when Joe the plumber walks in Velma can go "Hey Joe, how's Betty? you're youngest Cindy is about to be driving age and you know i can get you a discount if she gets good grades, does she have time to take a safety course? because i can get you a lower rate if she takes one" and so on. Needless to say the gal brings in business so they STFU and just make us poor fixit guys deal with Velma.

Here is my last exchange with Velma, swear to god its true: Me/Do NOT open that password protected email, its a virus! Velma "Oh you worry too much, its from my BFF Kim, see? that's her name right there, she wouldn't do anything bad she's my BFF!" /Me/ I KNOW Kim and she does NOT have the skills to password protect anything, hell she'd never even find the button! Do NOT open that! Velma "Oh Kim is not that bad on computers and she could have got her husband Bill to do it, and it says its kitten pics see? She know I like kittens!" /Velma promptly opens the zip, clicks on the .exe, and hoses the machine/ Velma "Ooops" /Me ...........

So you see friends the malware guys will just do as they are doing now and hit the weakest link which is ALWAYS PEBKAC. I haven't see a Windows driveby since Vista came out, simply because malware writers are lazy and can just get the idiot behind the desktop to do the work for them instead of having to do all that coding work. So it doesn't matter if they make email dummy proof, the malware guys simply will switch to loading a keylogger in a match 3 game or kitty screensaver and that's all she wrote.. the only way to kill malware would also kill FOSS deader than Dixie because you'd have to switch all the users to locked down iShiny or Wintabs where they have ZERO rights to do anything but what the corps tell them to, and to turn the net into an oversized home shopping network. Personally i like having control over my machines too much to let the march of the morons destroy my ability to put what I want on them, so they can try all they want but i can tell them it just won't work. No matter how smart your solution is the monkey with the wrench will fuck that shit up big time.