Home > Helping your organization avoid phishing: E-mail authentication
Book Chapter:
EMAIL THIS

Helping your organization avoid phishing: E-mail authentication

31 May 2005 | John Wiley & Sons

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

In this excerpt of Chapter 6 from Phishing: Cutting the Identity Theft Line, authors Rachael Lininger and Russell Dean Vines explain how e-mail authentication helps protect companies from phishing attacks.

E-mail authentication systems may provide an effective means of stopping e-mail and IP spoofing. E-mail spoofing is probably one of the biggest current Web security challenges. Without authentication, verification and traceability, users can never know for certain if a message is legitimate or forged. E-mail administrators continually have to make educated guesses on behalf of their users on what to deliver, what to block and what to quarantine.

The three main contenders for authentication are Sender Policy Framework (SPF), SenderID and DomainKeys. APWG estimates that adopting a two-step e-mail authentication standard (say, using both SPF and DomainKeys) could stop 85% of phishing attacks in their current form. Although all four systems rely on changes being made to DNS, they differ in the specific part of the e-mail that each tests:

  • SPF: Checks the "envelope sender" of an e-mail message -- the domain name of the initiating SMTP server.
  • SenderID: Checks after the message data is transmitted and examines several sender-related fields in the header of an e-mail message to identify the "purported responsible address."
  • DomainKeys: Checks a header containing a digital signature of the message. It verifies the domain of each e-mail sender as well as the integrity of the message.
  • Cisco Identified Internet Mail: Adds two headers to the RFC 2822 message format to confirm the authenticity of the sender's address.

You should start preparing for e-mail authentication. All e-mail will eventually have to comply with some type of sender verification methods if you want it to get through. Successful deployment of e-mail authentication will probably be achieved in stages, incorporating multiple approaches and technologies. The following sections discuss these four approaches in greater detail.


E-MAIL AUTHENTICATION

  The Sender Policy Framework (SPF)
  SenderID
  DomainKeys
  Cisco Identified Internet Mail

PHISHING: CUTTING THE IDENTITY THEFT LINE
By Rachael Lininger and Russel Dean Vines
334 pages; $29.99
John Wiley & Sons
Read Chapter 6, Helping your organization avoid phishing


BROWSE BY TAG
Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Email and Messaging Threats (spam, phishing, instant messaging)
Chinese hacker attacks target Google Gmail accounts, top tech firms
PDF attack code complicates security analysis, skirts detection
Panda warns of American Express phishing scam
Active PDF attacks target Reader, Acrobat zero-day vulnerability
Yahoo login credentials at risk to hijacking attack
The world's top 5 riskiest domains
How to secure a .pdf file
Top spammer gets four years in jail for stock fraud scheme
New Zeus spam poses as Social Security statements
Messaging security risks have upper hand on solutions
Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
CAPTCHA  (SearchSecurity.com)
crimeware  (SearchSecurity.com)
Operation Phish Phry  (SearchSecurity.com)
pharming  (SearchSecurity.com)
phishing  (SearchSecurity.com)
Register of Known Spam Operations  (SearchSecurity.com)
Rock Phish  (SearchSecurity.com)
Sender Policy Framework  (SearchSecurity.com)
spam cocktail  (SearchSecurity.com)
spear phishing  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary




Search Additional Security Research and Solutions
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts