DMARC: another step forward in the fight against phishing?

Published: 2013-08-05. Last Updated: 2013-08-05 21:28:19 UTC
by Chris Mohan (Version: 1)
4 comment(s)
 
I’m always searching to find facts and figures on the effectiveness of security measures on phishing attacks, which is harder that it would first seem. This is all is in aid of framing a picture to the boss on why to spend money, energy and resources on this most insidious and highly successful type of attack. That makes it very important to understand what happens towards your company, then you’re industry sector and, finally, how other non-related sectors are doing to create an impact that is meaningful to management. There’s already a number of great human awareness training to turn people in to phishing sensors [1], but let's stick to technical controls for alerting on phishing attacks. 
 
One of my favourites to providing that global view is the Anti-Phishing Working Group (APWG), which does a marvellous job of providing quarterly reports [2] as part of its goal to blunt the damage phishing attacks inflict. So now you’ve got some data points to wow management with how bad phishing globally and it covers different sectors, so how you go about getting some data on phishers targeting your company? 
 
Having an understanding of the phishing problem you face can be hard to fully comprehend. Looking to your own inbox or even that of your company’s mail abuse tracking system is probably missing out on the bigger picture, due lack of visibility: it may have already been blocked up stream, be targeted at your customers, or a number of other reasons and you never get to see the full scope of the phishing attacks. This means you may have to work with external vendors or third parties to tell you what they’re seeing, but that could be a waste of money. So what other option do you have? Glad you asked. 
 
One neat option is DMARC [3], which stands for "Domain-based Message Authentication, Reporting & Conformance", and it has raised debates in bars, meeting rooms and forums on its value and effectiveness, but is worth discussing. In a nutshell "DMARC makes it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it isn't." Let’s jump the “Well, it has to be configured properly first” argument that normally ignites impassioned ranting [4] and move to the utopia where it's working properly and suddenly you've got reporting that provides decent visibility on one channel of attack the phishers use against your DMARC protected domains. As an added bonus the reporting includes the IP addresses of the botnets/remailer/specific attacker send the email from which allows possible attribution or it to be added to your known bad IP lists.
 
The DMARC guide [5] makes this is pretty easy to get the results back and I've have great reporting for the personal domains I own, but then wondered how this stacks up for the big players and how it does actually reduce the impact of real phishing; then I stumbled over a report by Agari [6]. From reading between the lines and pleasantly coloured graphics, it paints DMARC as a solid defense and reporting mechanism to filter out one line of attack and provides some actionable information on a certain format of phishing attack. 
 
Most of us have come to the realization that despite the technical controls we put in place, a well-crafted phishing email is likely to be opened by the nice person sitting in front of the keyboard. Who doesn’t want to see the salaries for the entire department or a piano-playing kitten? Here’s the but…but if technical controls can drop a percentage of emails bearing the aforementioned kitties getting to the nice people then why the heck not implement it?
 
DMARC isn’t a silver bullet to phishing, can be circumvented by smarter attackers and may have technical factors that means it doesn’t work for your company, but it can provide insight in to attacks you never had before. Anything that makes it harder for a phisher to target your company, friends or family and gives you more visibility in to attacks is worth putting in place or at least reading the specification and making the decision for yourself.
 
As always, if you have any suggestions, insights or tips please feel free to comment.
 
 
[1] http://www.securingthehuman.org/
[2] http://www.apwg.org/resources/apwg-reports/ 
[3] http://www.dmarc.org/
[4] http://www.merriam-webster.com/dictionary/rant 
[5] http://www.dmarc.org/faq.html#s_6 
[6] http://agari.com/2013/07/31/agari-releases-its-2013-email-trustindex-second-quarter-edition/ 
 
 
Chris Mohan --- Internet Storm Center Handler on Duty
Keywords: DMARC phishing
4 comment(s)

Comments

I don't want to sound defeatist, but efforts like this have been going on for (if I'm not mistaken) over 10 years. I'm sure sender authentication can be fine-tuned, but barring some actual change in SMTP (fat chance that) it will never be able to lessen the amount of worry you have to have about spoofing.
I find the more I try to lock things down the more eager the spammers are to get access to my mail servers because the more legit the emails look coming from them.

Also my customers will click on the link on an email from werethemailadminforexampledotcomreallytrustus@yahoo.co.kp and fill out their username, password, email address, real name, alternate email addresses with logins and passwords, 4 phone numbers, credit card number, bank account routing number and account number, SSN, address, street they grew up on, first car, name of their pet, facebook, twitter, and linkdin account names, mother and both grandmother's maiden names, birthdays for every member of their extended family, birth city, birth hospital, and submit a picture of their birth certificate, driver's license and passports.

Then scream at me when I lock their email account when I detect it being used to send spam.
[quote=comment#26839] [... funny comments about gullible users ...]]
Then scream at me when I lock their email account when I detect it being used to send spam.[/quote]

You could just do what yahoo does - autorespond to email sent to abuse@yahoo.com referring the sender to a web page to report abuse... then have that page be one of a circularly linked collection of pages helpfully telling yahoo customers how to report spam they receive, and neglect to make it possible for anyone to report spam coming FROM a yahoo customer. That'll knock all those pesky abuse reports down to zero!

Of course, if you don't have as many sheep... er, I mean customers, as yahoo does that might lead to your IPs getting RBL'd six ways from Sunday. I've gotten so fed up with yahoo that large swaths of their IP space are quarantined or outright blocked by one of our mailing list servers, and I've taken to whitelisting the few legit yahoo addresses we see. And I've only had to whitelist 2 legit yahoo senders in the last 18 months. Google's not much better...
This post is getting old now, but thought I'd comment anyway. Been trying to figure out the excitement about DMARC. I have serious problems with it from an architectural standpoint, but those aside I really take issue with how it's being sold as an effective anti-phishing solution. It doesn't prevent phishing; it prevents the phishing from having the real domain in the sender/from. That's a critical distinction and in my mind that's barely moving the needle. So, the phishing attack is exactly the same but the sender is "admin@fe-dex.com" (or whatever) instead of "admin@fedex.com". Maybe your users are more sophisticated than mine:-) In my experience, many phishing campaigns already don't use the real domain.

Diary Archives