Avoid phishing with e-mail authentication: The Sender Policy Framework

The Sender Policy Framework (SPF), formerly Sender Permitted From, is an extension to the older mail sending protocol, Simple Mail Transfer Protocol (SMTP), which provided almost no sender verification of e-mail. SPF makes it easy to counter most forged "From" addresses in e-mail, thus helping to counter e-mail source address spoofing.

When a user sends you mail, an e-mail server connects to your e-mail server. When the message comes in, your e-mail servers can, based on SPF published

E-mail Security School Attend our on-demand E-mail Security School webcasts and learn tactics for securing your e-mail systems while earning CPE credits from (ISC)2.

addresses of its e-mail servers, tell if the server on the other end of the connection actually belongs to the sender.

AOL is a big supporter and deployer of SPF. It recently pulled out of development of Sender ID, another mail verification protocol. SPF is deployed around the world; the e-mail servers of more than 86,000 domains use the authentication technology, as of this writing.

SPF is not an IETF standard yet, but it has a good chance of becoming a standard, and will be submitted soon. SPF is not expected to totally eliminate spam, but it's another weapon in the fight against spam and phishing.

Some spammers love SPF

Although legitimate e-mailers are starting to quickly adopt SPF, apparently spammers are adopting it faster. A recent study by CipherTrust (www.ciphertrust.com) showed that 34% more spam is bypassing SPF checks than legitimate e-mail. This means that a spam message is three times more likely to pass an SPF check than to fail it, as long as the address is registered. As long as spammers comply with the protocol, register their SPF records and don't spoof the sender address, their messages will not be stopped. What this really means is that one e-mail authentication solution alone will not stop the tide of spam; it's just one part of a fraud and spam prevention program.

E-MAIL AUTHENTICATION

  Introduction
  The Sender Policy Framework (SPF)
  SenderID
  DomainKeys
  Cisco Identified Internet Mail

PHISHING: CUTTING THE IDENTITY THEFT LINE By Rachael Lininger and Russel Dean Vines 334 pages; $29.99 John Wiley & Sons Read Chapter 6, Helping your organization avoid phishing

BROWSE BY TAG Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) crimeware  (SearchSecurity.com) Operation Phish Phry  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary