SAN FRANCISCO -- While fighting phishing often seems like an every-organization-for-itself situation, the only way to mitigate the threat is to have the organizations that send important emails to their customers collaborate with the webmail providers who filter those emails via the use of reputation services, agreed a panel of experts at the RSA Conference 2011 today.
"When it comes down to it, we all share our customers," said Steve Jones, a senior architect for Bank of America Corp. "If they don't trust any messages, they won't be looking for [legitimate] alert messages [we send]."
As a result of feedback we get from ISPs, we [are able to compile a] list of URLs in emails that have been blocked that we can add to our proxy.
The panel, moderated by Paul Smocer, executive vice president of the BITS Financial Services Roundtable project management office, focused on the importance of two email authentication technologies they said were crucial for preventing phishing messages: SPF, which prevents address spoofing, and DKIM, wherein an encrypted key signature is verified against a counterpart key posted in DNS. "When used in tandem," said Kelly Wanser, chairman and CEO of eCert Inc., "[SPF and DKIM] help reduce the amount of edge cases" where legitimate emails are blocked.
SPF, or the Sender Policy Framework, prevents the sender address from being tampered. The standard allows email senders to spell out their policies and publish domain information in the DNS zone. The recipient server then verifies that the message complies with the policy posted, and can block it if it's not in compliance. SPF also allows for a reputation to be attached to sender addresses. DKIM, also known as DomainKeys Identified Mail, does cryptographic authentication to validate a key signature.
But the implementation process, unfortunately, is not easy for either. Adam Dawes, a product manager for Google Inc., explained that "systematically signing and making all email authenticatable is hard," and that it "took [Google] the better part of a year" to finish the process.
When used in tandem, [SPF and DKIM] help reduce the amount of edge cases.
Google, however, was in a unique position to understand the technologies, as it is both a sender of mass emails, and a receiver in the form of its Gmail Web mail provider. This made it easier for them to track down emails that were purporting to come from Google. "Efforts [to implement these technologies effectively] would've been pretty much impossible if we had not been a receiver ourselves," Dawes said.
To that end, senders and receivers were encouraged to talk to one another in the fight against phishing techniques. Michael Hammer, head of Web operations security at AG Interactive (AGI), the online division of American Greetings Corp., explained that, in 2007, when ecard phishing was rampant, AGI had already "fully implemented strong SPF and DKIM for all greeting card domains." The company then told the large mailbox providers: "If [an ecard from AGI] fails authentication, toss it. [But] providers weren't in a position to authenticate."
Since then, mail receivers have been playing catch-up, but are trying to coordinate better, which, according to Dawes, means systematically providing information to senders, which will help them tie their infrastructures down. "If we know that [an organization] is signing all of its emails," he said, "if we get one that's not signed, we know to contact them."
Another member of the panel, Alex Popowycz, vice president of security for Fidelity Investments, agreed: "As a result of feedback we get from ISPs, we [are able to compile a] list of URLs in emails that have been blocked that we can add to our proxy."
Complete success, however, will require cooperation not only between the organizations sending the emails and the webmail providers, but also with users, who are on the front lines when it comes to distinguishing legitimate emails from illegitimate ones. "We want folks to know our mail," Hammer said.