SURVEYING ANTI-PHISHING STANDARDS – PART 2




               by Marc Laliberte, Information Security Threat Analyst, WatchGuard Technologies



               In  our  last  article,  we  looked  at  three  different  technology  standards  that  combat  spam  and
               phishing attacks. If you haven’t read the first installment of this two-part series yet, check it out
               now to familiarize yourself with some important terms we’ll use while exploring why these anti-
               phishing standards aren’t more widely used today.

               Sender  Policy  Framework  (SPF)  was  an  open  standard  created  to  prevent  sender  address
               forgery  in  email  envelope  MAIL  FROM  headers.  At  around  the  same  time,  DomainKeys
               Identified  Mail  (DKIM)  was  developed  to  authenticate  approved  mail  servers  for  a  domain.
               Finally, Domain-based Message Authentication, Reporting and Conformance (DMARC) was a
               solution  crafted to  tie  SPF  and  DKIM  together with  added  reporting functionality.  All  three  of
               these technologies are great at helping to stop common forms of phishing. So, why haven’t they
               reached 100 percent adoption?

               As  it  turns  out,  SPF  and  DKIM  adoption  are  actually  doing  quite  well  with  email  senders.
               According to a 2016 report by Google, 95 percent of non-spam emails received by Gmail users
               came  from  senders  with  SPF  records,  and  nearly  88  percent  of  non-spam  emails  employed
               DKIM  signing.  DMARC,  however,  is  still  struggling  to  take  off.  A  Federal  Trade  Commission
               report earlier this year found that only a third of surveyed companies have published DMARC
               records and less than 10 percent of that group have configured their DMARC records to reject
               unauthenticated messages.

               The good news is that DMARC adoption has been seeing modest improvements. According to
               the  Online  Trust  Alliance  (OTA),  adoption  for  both  DMARC  record  and  rejection/quarantine
               grown  over  the  past  year  (from  27.4  percent  to  34.3  percent  and  from  5.8  percent  to  14.6
               percent,  respectively),  and  that  the Internet  Retailer  and  Consumer  categories  were the  lead
               adopters  for  both.  Unfortunately,  organizations  in  the  Federal  and  ISP  categories  were  the
               laggards  for  records  adoption,  and  banks  and  federal  groups  were  dragging  their  feet  in
               rejection/quarantine adoption.

               So,  while  there  have  been  humble  increases  in  DMARC  adoption,  the  rates  are  still  low;
               especially  with  compliance  enforcement  enabled.  Why  might  this  be?  For  one  thing,  it’s
               common for businesses to start with a DMARC solution configured with a “none” policy while
               testing, which means they don’t want recipient email servers to take any action against non-
               compliant messages. Businesses might choose to do this if they use third-party mailer services
               to send newsletters, since DMARC can cause these messages to be denied if misconfigured.
               It’s certainly important to test policy changes in phases instead of diving right in at the risk of
               breaking something critical, like your company’s ability to send email.



                   42    Cyber Defense eMagazine – November 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.