DMARC's Abysmal Adoption Explains Why Email Spoofing is Still a Thing (zdnet.com) 113
Companies around the world are still failing to see the benefits of implementing DMARC, an email security protocol designed to prevent email spoofing, the primary trick used by cybercriminals to deliver phishing emails and BEC scams. From a report: Around 79.7% don't use DMARC, according to a report that surveyed the DMARC policies deployed with 21,075 business and government domains. The survey, carried out by email security and analytics firm 250ok, analyzed domains from sectors such as Fortune 500, US government (Executive, Legislative and Judicial), the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, education, e-commerce, financial services, and travel sectors. The survey looked specifically at DMARC adoption because of the protocol's importance.
No dmarc no problem (Score:4, Insightful)
Economics is the problem (Score:5, Insightful)
Don't implement it and your company's emails are more likely to end up in our users spam folder, simple as that
And exactly what is the economic cost of that to the 80% who don't implement it? Not sure what the 80% is counting against, but it is clear that the 80% thinks it costs more to implement DMARC than to ignore it.
I'm convinced the real reason that spam will live forever is because spam is an economic problem and NO amount of technical finesse or finagling is going to "solve" it. Proof of concept in the only major form of spam that has been cured: Pump-and-dump stock-scam spam. After some researchers proved the scam was as good as printing money, they changed the rules of the game ON THE ECONOMIC SIDE, and now you don't see that kind of spam anymore.
If we actually want to seriously address the spam problem, then we need to go after the spammers' economic models. Find out where they are getting their money and block it. My favored approach would be to work with the potential victims to give them the tools to help put the spammers out of business.
So what's the economic model for that solution approach? How attractive would your email system be if the spammers were afraid to send email there? Today you could conquer the spammers and tomorrow you could conquer the world (of email) !
Oh well. Another triggered rant. Time's up, so I bid you ADSAuPR, atAJG.
Re: (Score:2)
...I'm convinced the real reason that spam will live forever is because spam is an economic problem and NO amount of technical finesse or finagling is going to "solve" it ...
Good point. Personally, I think it's also a people problem. The people responsible for the spam and their families don't have to face the kinds of consequences that would deter them from their current business model. Many countries would be reluctant to impose those kinds of consequences.
Re: (Score:3)
I have to agree, but with the stipulation that most people are economic animals (at some risk of insulting the animals). However you are focusing on the punishment side, and I think it would be better to focus on the prevention side.
In the example of the pump-and-dump stock-scam spam, it was already illegal and they were punishing the scammers as fast as they could catch them, but that didn't stop the spam. Then they changed the rules of the stock markets (where the money was coming from), which made the mo
Re: (Score:3)
The AC managed to attract my attention by saying something so stupid.
Actually, part of the problem with SMTP was that the researchers and computer scientists were too well funded and therefore they felt free to ignore the economic considerations and symmetry. As a joke, you can say that Al Gore and Jon Postel deserve part of the blame for creating the email spam problem.
Re: (Score:2)
Your attempt at reframing it as a "people problem" is really your wish for retribution.
fjnork!!. I hate it when people point out my character defects.
The consequences ought to be that sending spam simply doesn't result in income. That also saves you from having to find every last of the spammer fsckers.
And also relieves me of the burden of being the Almighty Avenging Angel of Doom And Dismemberment. Cool. Now I've got time for ice cream and Tour de France recaps.
Re: (Score:2)
Re: (Score:2)
Email does not work that way. There is no centralized email service who can say, "You will now pay 5 cents per email" Anybody can set up their own email server on their own terms, although getting through other people's spam filters might not be so simple. Note that spam filters are also completely decentralized, so you can't impose a universal 5 cents per email charge here either.
Re: (Score:2)
You are fuzzily describing the fundamental flaw of SMTP. My proposed solution didn't actually require any fixed cost, but rather any kind of tracking on the basis of at least imagining that a fixed price existed. In normal cases, the imaginary charges would cancel out and no real money need be involved. However, any source of large amounts of spam would start incurring a debt. I thought the best enforcement mechanism would actually be a logarithmic delay based on the excess of email sent.
Re: (Score:2)
You're still not making any sense. "Tracking"? Who is tracking? "Incurring a debt"? Incurring a debt to whom? Who is imposing this "logarithmic delay"? There's no central authority to do any tracking, to collect on any debts, or to enforce any punishments like a delay in processing a transgressor's emails. As you say, this can be regarded as the "fundamental flaw" of SMTP. Are you proposing that SMTP be replaced? That would mean asking people to abandon the universal standard that ensures they can
Re: (Score:2)
You ask too rudely. In addition, most of the answers to your rude questions seem to be intuitively obvious to the most casual observer. If you can't understand the obvious, then you need to ask more politely to motivate me to explain. Or perhaps you are merely accustomed to people who are more willing to ignore rudeness? However I've already had a slightly annoying day and the weather is too hot, too.
Magic 8 ball says "Ask again later."
Re: (Score:2)
Magic 8 ball says "I don't have any answers, so I'll just call you rude instead."
Public masturbation of 191822 (Score:2)
Z^-1
Re: (Score:2)
" thinks it costs more to implement DMARC than to ignore it."
if only that much thought went into it.
Re: (Score:2)
That doesn't seem like much of an argument. Nothing constructive anywhere in your mind?
Have you actually written an email system? I wrote several of them. Later on part of my job was maintaining half of a complicated email system (written in Pascal, ported to Zeta Lisp, and ported by me over to Common Lisp). In my last heavily email-related job, I was actually hired as a full-time postmaster, though it turned out that being the postmaster was only one half of a double-time job, with the other half being cus
Re: (Score:2)
It's more like 80% don't know anything about Internet standards or care to do any work whatsoever to try to follow them.
Re: (Score:2)
It's more like 80% don't know anything about Internet standards or care to do any work whatsoever to try to follow them.
Having actually worked as a postmaster several times I'm calling BS. However let's assume that I'm naive and that SMTP and the RFCs of those years no longer matter. After all web-based email is different in many ways.
Why don't you clarify or add substance to your point? Specifically, why don't you explain why any postmaster (even a part-time postmaster), wouldn't want to save money by implementing DMARC (assuming that implementing DMARC would actually save money)?
Re: (Score:2)
DMARC won't directly save you money. It is absolutely a good thing and you should implement it, since it keeps bad guys from sending email pretending to be you, but it requires you to know what you're doing, monitor the reports occasionally, help other people in your company understand why they can't just sign up a new ESP without knowing what SPF and DKIM are, and deal with other fallout. It also isn't compatible with many mailing lists, so sites with real end-users could have problems.
Since SO many of the
Re: (Score:2)
Your comment is unclear. I cannot even tell if you are disagreeing or agreeing with my comment, but more than that, it sounds like you are contradicting yourself. Perhaps you should clarify or I should assume that my economic perspective blinds me to your point or points.
I find myself wondering what is the cost of allowing someone to impersonate my email server and what is the cost of delays in following the steps to stop it. Or maybe I should have explicitly mentioned the problem of false positives in the
Re: (Score:2)
DMARC could save you money if it prevents what would otherwise be a successful phish from reaching your employees.
DMARC could save you money if its use allows recipients to make better filtering decisions on your valid email.
DMARC will cost you time to implement, which has a cost.
DMARC might cost you money if you do it wrong and some of your valid email therefore does not reach its recipients.
Only you can judge the actual costs or benefits of the above.
Re: (Score:2)
Reminds me of Benjamin Franklin's old tabular approach, though there are lots of variations since then. The basic idea is to make two lists, pro and con, and attempt to estimate the values.
However, in this case we already know the key result. 80% say nay, and that pretty much insures failure.
Then again, I may have a hammer problem and I just see DMARC as a badly bent nail. I think the best approach would be to ask the potential victims for help with an analytic webform. In several iterations of analysis and
Re: (Score:1)
Then your users are pissed off about missing emails from an important client and lost a business deal. Good job IT nerd.
Re: (Score:2)
What's crazy is that so much spam these days comes from "valid" domains. Valid as in they bought a domain from one of the boutique TLDs that no sane person would ever use unironically as their e-mail address, and it's in their outbound SMTP configuration, so it appears in the envelope address where it can be filtered. My guess is that perhaps free or nearly-free e-mail providers (the ones that look the other way when users spew spam) are somehow requiring a valid domain that resolves in a DNS query. And spa
Re: (Score:2)
Hmm, I was mostly referring to spam in general. I'm sure spoofing is still a thing in terms of phishing, but it is still requires the sender to configure their outbound SMTP to match the spoof. It is easy to spoof the From header, but spoofing the envelope requires more technical knowledge, and full control of your own mailer. Also, most ISPs now block outbound port 25 connections, killing the spoof-aware malware mailer market, and shifting the source to spam-friendly hosting.
But at the amazingly low level
Not mandated. (Score:2)
The real reason they aren't using it is because it's not mandated by anyone. All that would be needed is for the US gov. to mandate that companies taking credit cards to use it for all email (so that people not using it couldn't communicate with them) and it would be everywhere.
Re: (Score:1)
And last I checked, the US Government's regulations don't sway China Hot 100 companies because... China is not a territory governed by the US Government.
Re: (Score:2)
But when all the big players are doing it in the US, it will apply pressure to foreign companies.
Especially because the 3rd day after implementing it, companies would be advertising while that are secure and other companies are not.
Re: (Score:2)
Whaling (Score:2)
DMARC started as layer on top of SPF and DKIM to basically let companies prevent their customers getting scammed by phishing campaigns; generally being nice guys and perhaps saving a little reputation collateral damage for the imitated companies.
Turns out the big use case for DMARC has nothing to do with protecting customers free of charge. It's "whaling"; phishing attacks on high-level (CxO) managers within the companies being scammed, costing literally millions of dollars. https://searchsecurity.techtar.. [techtarget.com]
Re: (Score:2)
Re:Whaling (Score:4, Informative)
DMARC helps prevent this by making it harder to fake internal emails Typical spearfishing is still done with just basic knowledge of key employees (easily found) and corporate procedures and is still a numbers game; hoping that at least one of many attempts will work. Obviously if the scammer has hacked his way into their servers sufficiently to send DKIM-signed mail from an SPF approved server, DMARC will show the email as legit, but at that point a hacker can probably do more lucrative things than gamble that a spearfishing campaign works.
Whaling is not some magic method that always works; it's basically phishing at a smaller scale at higher cost and greater profit margins but it still mostly fails as, surprise, managers are usually somewhat suspicious of unexpected multi-million dollar money transfer request. DMARC just provides an extra layer on top of basic human vigilance.
There's a reason adoption is abysmal (Score:3)
It (and its pre-requisites SPF and DKIM) are poorly documented and difficult to implement. I consider myself a fairly technical person and still had to spend an entire evening to get it set up.
Re: There's a reason adoption is abysmal (Score:1)
It is difficult. But it's actually completely free with no hidden gotcha costs.
Re: (Score:2)
Time is money, especially if you're paying for somebody else's time.
Re: (Score:1)
Re: (Score:2)
It took me about a day to get it all worked out and a proposal for my company written.
The implementation took about 20 minutes from start to finish.
Yes, a little complicated because the best instructional reference is the RFC itself but it is not THAT complicated. (It's no IPv6 for example)
If you are responsible for administering e-mail for your company, there is really no downside to setting this up along with DKIM and SPF.
Re: (Score:3)
but I can't figure it out easily, there fore it's haaaaaarrrrd and not worth it!
A thing I've heard about pretty much every technical thing for the last 35 years.
Re: (Score:2)
"fairly technical person and still had to spend an entire evening to get it set up"
one of these is not like the other.
Re: (Score:2)
It (and its pre-requisites SPF and DKIM) are poorly documented and difficult to implement.
It's not so difficult that spammers can't do it. Every single SPAM I receive has valid SPF records in DNS and is correclty DKIM signed.
Re: (Score:2)
Thing is, I now get all these DMARC reports that I don't know what to do with.
"Around 79.7%" (Score:1)
"Around 79.7%"? Can't they be more specific? I would expect a number of at least 79.683%.
Mailing lists are still a thing (Score:1)
DMARC is one of those lovely spam fighting policies that break mailing lists. This is a problem when you deal with Google that aggressive enforce it. The "solutions" aka From-rewrite are just plain ugly.
Re: (Score:2)
By those benchmarks, HTTP credit card payments are very broken in most web browsers.
The Internet is not as safe a place as it used to be. Mailing lists are still possible - but need a modern approach. Just don't spoof the sender. Reply-to headers are useful if you need responses to go back to a different place.
Re:Mailing lists are still a thing (Score:5, Insightful)
SPF and DKIM are both reasonable solutions to fighting counterfeit e-mail. In particular, SPF protects the envelope-From information. There are very good technical reasons, why it protects envelope-From, but doesn't protect header-From. DMARC completely ignores all of these technical considerations and erroneously uses SPF to verify the header-From. That's not was SPF was designed for, and not surprisingly all hell breaks loose when somebody does this.
DMARC is (barely) usable for sending newsletters from the marketing department. It is utterly broken when being used to send person-to-person or person-to-group e-mails. No competent IT person would ever deploy it for anything other than newsletters. There is just too much risk that DMARC-enabled messages are treated as spam or, in the case of mailing lists, that they break everybody else's mail.
DKIM and SPF on the other hand are reasonably sane, assuming they are managed by an IT department that knows what they are doing. I can't even begin to count the number of cases where I was contacted because my servers rejected incoming e-mail, only to point out to the sender that they had configured their own SPF record to mark all of their own e-mail as spam. I am friendly enough to help them fix their systems. But I wonder how many people have sent messages straight to spam folders once they enabled SPF for their domains.
Re: Mailing lists are still a thing (Score:1)
DKIM is not sensible or sane. If you want to use DKIM in your company it's your problem. I have a feeling some of our safeweb suppliers might use DKIM in R&D but I never want it on my intranet.
Re: (Score:2)
Re: (Score:3)
DMARC is (barely) usable for sending newsletters from the marketing department. It is utterly broken when being used to send person-to-person or person-to-group e-mails. No competent IT person would ever deploy it for anything other than newsletters.
I don't know what you mean. It's actually less problematic when you deploy it for normal person-to-person email. Newsletters and automated emails are a bigger problem because you have less control over where the email is relayed from and whether they implement DKIM. If you don't have SPF and DKIM nailed, the DMARC doesn't do much.
I think the whole thing is relatively reasonable, but the biggest problem I've run into is the limit on SPF lookups. I've seen lots of companies where they have automated emai
That's because Dmarc is terrible (Score:5, Insightful)
Ha. I had to implement DMARC for an organisation once, and I'm totally unsurprised nobody else is bothering to.
To start with, DMARC is barely worth focusing on. It consists largely of SPF and DKIM (with some reporting added in). But both DKIM and SPF are a pain to setup and/or plain wrong or fragile.
SPF won't survive forwarding; so that's right out: enable SPF, and *more* of your mail may end up in spam folders. I'm not sure what the designer of SPF was thinking, but clearly thinking wasn't high on their priorities.
DKIM is, in principle, better. Except: it's pretty fragile, and breaks in unfortunate ways. Email processesing pipelines have traditionally had leeway to do all kinds of stuff to the message, and in particular the content. But with DKIM - if you so much as trim a trailing whitespace, or accidentally reorder a header, it silently breaks (but dmarc adds overcomplicated reporting, so if you're lucky you might have that set up right and tell something fishy is up).
Also: validating the sender is all fine and good, but that's not what your email client is showing you, right? So even if everything worked just fine, it would be much more confusing than https - and I'm not sure people understand https, let alone email headers.
And even if everything happens to work - this is really just the tip of the iceberg; it's far from simple, with reporting and whatnot. And better hope you never make a mistake or all kinds of mail will disappear into /dev/null thereafter. Also, in real organisations you may run into issues like department X does the website and has DNS control, but B does marketing and email... so let's just test that inter-department communication system, shall we? Since it's all complicated to set up, it takes a modicum of expertise too. Color me unsurprised that it's not taking the world by storm; it's confusing, expensive, fragile, risky, not really all that valuable, and there's no special interest group to push it.
So... yaaaay, DMARC might, ever turn out to be a thing. Or not. But hey, at least we have a not-quite-solution to spam we can pretend we're aiming for.
Re: (Score:2)
Hear, hear, and I'd give you another insightful mod point if I ever had one to give.
Not having the mod point, I'll just comment on the main effect of the verification approaches on the spam that does arrive these days. Lots of the spam has thousands of characters of header information so the mail system will say moderately nice things about it before the spam filters throw it in the spam folder anyway.
So why are the verification-based approaches failing so badly? Mostly because the cost of getting free emai
Gmail and Office 365 (Score:2)
From my experience most organizations use either Gmail or Office 365 for their emails. The number of organizations that bother hosting their email servers is dropping, because it is a lot of IT work to keep and maintain, where your IT resources could be used to actually improving the business.
So if Google and Microsoft doesn't use it, most organizations will not use it.
Re: (Score:3)
These services will only set all this up for you if you use default domains (gmail.com, onmicrosoft.com)
If you use custom domains, you have a bit of set-up work to do because you need to update your DNS records.
I set up DMARC on Office 365 for my company and it was not terribly difficult.
Re: (Score:2)
"most organizations use either Gmail "
what? any companies larger then 50 million a year?
Re: (Score:2)
Maybe the smaller ones, but large ones with concerns for security do not. One software vendor I worked for (reasonably large) migrated to Office 365 when I started working there, before that they ran their email servers.
This is not my specialty, but I have set up personal email servers on occasion and once they were setup they basically looked after themselves. So I am not sure what you mean by it would take a lot of
DMARC does not prevent spoofing (Score:5, Interesting)
DMARC does absolutely nothing to prevent spoofing. You can compose an email whose From: header looks like this:
From: <bad@phisher.org> "<trusted@bank.com> CEO of Your Bank"
And it can pass SPF, pass DKIM, pass DMARC, and most email clients will not display the true sender address, but only what's inside the quotes. Sigh.
Re: (Score:2, Funny)
"...does absolutely nothing to prevent spoofing."
Maybe save the conversation for the experts, m'kay?
Re:DMARC does not prevent spoofing (Score:4, Informative)
dskoll is correct. DMARC does nothing to prevent phishing attacks that spoof the "Full Name" portion of the email address. If email clients would show the full email address rather than just the "Full Name" portion maybe people wouldn't be fooled as often.
Re: (Score:1)
Sounds like an issue with the mail clients rather than DMARC.
Re: (Score:2)
If DMARC, SPF, and DKIM are all set up, then at least the email can be more easily identified as spam if it's not actually being sent by bad@phisher.org. If bad@phisher.org is actually sending the emails, then you can blacklist the domain, report abuse, and at least play whack-a-mole with that instead of having all email completely spoofed without any authentication.
In addition to helping to prevent completely willy-nilly spoofing, DMARC also provides a scheme for getting reporting back on how your spam p
It's not limited to email (Score:5, Insightful)
I don't see how DMARC can stop something like this. Yes it'll prevent someone not from Bank of America from sending an email which looks like it's from bofa.com. But it won't prevent someone from statebusinessfilings.com from reminding you you need to file your statement of information via their website for $100. And in a way, it's arguably worse. Right now people are taught not to trust the From: line in an email. But if your company implements DMARC, then you're telling them they can trust the From: line in the email. So sometimes they can trust it, sometimes they can't. How many people do you think are going to keep straight which is which? If you're going to implement something like this, it needs to be everyone everywhere implementing it simultaneously. Otherwise it'll just cause more problems than it solves (people trusting the From: line on their email because they think it's protected by DMARC, when it turned out that that email service wasn't protected).
Re: (Score:2)
No, it's not limited to email, but snail mail has NEVER created the degree of nuisance that email spam produces. It's a simple matter of cost, as in the marginal cost of email is effectively zero. SMTP was written for a good-neighbor universe of politely mutual back-scratchers, so they ignored the money part of it.
Multiply the cost of a stamp by a million or a billion, and it's expensive. But the cost of email can pretend to be zero, so it doesn't matter how much you multiply it.
Having said that, I think th
Re: (Score:2)
Re: (Score:2)
DMACT is e-mail spoofing protection (Score:1)
DMARC protectsd your domain against spoofing, true.
It doesn't protect users against phishing, as most phishing e-mail don not use spoofing of a company domain, but use a completely new, lookalike domain.
DMARC won't protect against that.
Mostly killed for non-technical reasons (Score:3, Interesting)
SPF/DKIM/DMARC isn't complicated to setup. It is however blamed (and removed) as soon as any exec in the company thinks someone didn't get their email because of it. I've deployed it at several companies and only one has kept it in place. The second biggest killer I've run into is when they use external vendors to send out emails and never bother to communicate with IT first, "our $XXX marketing push failed because no one got the messages!".
The one company that has kept it is in a regulated industry, and has been the target of significant number of phishing/whaling attacks. They actually go even further. Every incoming message from an external source gets flagged and a warning message placed on the message. Any incoming message from an external source that has a display name name shared by an employee at manager level or higher gets pushed into a handling queue to be approved by Compliance before delivery. Compliance gets to decide if it is whitelisted to bypass this in the future.
Re:Phone spoofing is worse (Score:4, Informative)
Re: (Score:1)
The so-called "Ford memo" is a figment of your imagination that comes from a movie called "Class Action."
It's not a real thing - just a cheap dramatization designed to demonize a group of hardworking Americans who got together to build cars.
"Fatalities Associated" by Grush and Saunby (Score:2)
"Fatalities Associated with Crash Induced Fuel Leakage and Fires" by Grush and Saunby [autosafety.org] states "$200,000 per death, $67,000 per injury, $700 per vehicle." How was this document fabricated?
Re: (Score:1)
Consistency between ANA and CID (Score:2)
CID says what the caller wants it to say.
ANA says who the caller is and what networks they are calling from.
In context, from the point of view of a subscriber receiving a call, a "spoofed" CID is one that does not correctly identify the caller. Based on your terminology, the problem is that an individual or residential phone subscriber receiving a call has no way to tell whether ANA and CID for that call are consistent.
Re: (Score:2)
The correct acronym is ANI (Automatic Number identification) [wikipedia.org], and it is useless for boiler-room VoIP junk calls:
ANI is generally not transmitted when a call is operator assisted; only the area code of the last switch to route the call is sent.
Placing a call through an outbound-only VoIP service or some calling cards will cause a non-working number to be sent as the ANI. ANI is also not supported properly for calls originated from four-party lines.