15 major Internet firms have launched a joint project to make it harder to get “phishing” e-mails through to recipients. The plan involves the firms labeling their messages in a way that is much harder for scammers to emulate.
The project is known as Domain-based Message Authentication, Reporting, and Conformance, or simply DMARC. It works on the basis that the companies involved in the scheme send around 15 percent of all e-mails worldwide — or rather they relay e-mails from their users. Perhaps just as importantly, they send the type of messages net users regularly receive and are more likely to trust and thus be vulnerable to spoofed messages trying to get hold of log-in details and other personal information.
DMARC members include messaging firms AOL, Facebook, Google, LinkedIn Microsoft and Yahoo; financial institutions Bank of America, Fidelity Investments and PayPal; and online cards company American Greetings. Five e-mail security providers are also involved.
The project involves two existing technologies that confirm the identity of the sender and that the structure of the message is as expected. What DMARC brings is a standard and published policy among all the firms involved that says how their e-mails are protected and what to do if something is amiss. The protection works among all e-mail that pass between two member firms, for example a Facebook notification going to a Windows Live Mail customer, or a PayPal message going to a Gmail customer.
The system has been in the works for 18 months and has been operational “for a while” before today’s public announcement.
Those involved note the protection simply prevents scammers from sending a bogus message as if it were from the legitimate domain. It doesn’t stop scammers who use a close substitute that could mislead the recipient, for example sending an e-mail from email@example.com rather than firstname.lastname@example.org.