Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security IT Technology

DMARC's Abysmal Adoption Explains Why Email Spoofing is Still a Thing (zdnet.com) 113

Companies around the world are still failing to see the benefits of implementing DMARC, an email security protocol designed to prevent email spoofing, the primary trick used by cybercriminals to deliver phishing emails and BEC scams. From a report: Around 79.7% don't use DMARC, according to a report that surveyed the DMARC policies deployed with 21,075 business and government domains. The survey, carried out by email security and analytics firm 250ok, analyzed domains from sectors such as Fortune 500, US government (Executive, Legislative and Judicial), the China Hot 100, the top 100 law firms, international nonprofits, the SaaS 1000, education, e-commerce, financial services, and travel sectors. The survey looked specifically at DMARC adoption because of the protocol's importance.
This discussion has been archived. No new comments can be posted.

DMARC's Abysmal Adoption Explains Why Email Spoofing is Still a Thing

Comments Filter:
  • by Dorianny ( 1847922 ) on Monday July 29, 2019 @01:12PM (#59006984) Journal
    Don't implement it and your company's emails are more likely to end up in our users spam folder, simple as that
    • by shanen ( 462549 ) on Monday July 29, 2019 @01:36PM (#59007164) Homepage Journal

      Don't implement it and your company's emails are more likely to end up in our users spam folder, simple as that

      And exactly what is the economic cost of that to the 80% who don't implement it? Not sure what the 80% is counting against, but it is clear that the 80% thinks it costs more to implement DMARC than to ignore it.

      I'm convinced the real reason that spam will live forever is because spam is an economic problem and NO amount of technical finesse or finagling is going to "solve" it. Proof of concept in the only major form of spam that has been cured: Pump-and-dump stock-scam spam. After some researchers proved the scam was as good as printing money, they changed the rules of the game ON THE ECONOMIC SIDE, and now you don't see that kind of spam anymore.

      If we actually want to seriously address the spam problem, then we need to go after the spammers' economic models. Find out where they are getting their money and block it. My favored approach would be to work with the potential victims to give them the tools to help put the spammers out of business.

      So what's the economic model for that solution approach? How attractive would your email system be if the spammers were afraid to send email there? Today you could conquer the spammers and tomorrow you could conquer the world (of email) !

      Oh well. Another triggered rant. Time's up, so I bid you ADSAuPR, atAJG.

      • ...I'm convinced the real reason that spam will live forever is because spam is an economic problem and NO amount of technical finesse or finagling is going to "solve" it ...

        Good point. Personally, I think it's also a people problem. The people responsible for the spam and their families don't have to face the kinds of consequences that would deter them from their current business model. Many countries would be reluctant to impose those kinds of consequences.

        • by shanen ( 462549 )

          I have to agree, but with the stipulation that most people are economic animals (at some risk of insulting the animals). However you are focusing on the punishment side, and I think it would be better to focus on the prevention side.

          In the example of the pump-and-dump stock-scam spam, it was already illegal and they were punishing the scammers as fast as they could catch them, but that didn't stop the spam. Then they changed the rules of the stock markets (where the money was coming from), which made the mo

          • by shanen ( 462549 )

            The AC managed to attract my attention by saying something so stupid.

            Actually, part of the problem with SMTP was that the researchers and computer scientists were too well funded and therefore they felt free to ignore the economic considerations and symmetry. As a joke, you can say that Al Gore and Jon Postel deserve part of the blame for creating the email spam problem.

        • Well we could not just prosecute but persecute spammers. That would in fact make the economics of it less appealing.
      • by geekoid ( 135745 )

        " thinks it costs more to implement DMARC than to ignore it."

        if only that much thought went into it.

        • by shanen ( 462549 )

          That doesn't seem like much of an argument. Nothing constructive anywhere in your mind?

          Have you actually written an email system? I wrote several of them. Later on part of my job was maintaining half of a complicated email system (written in Pascal, ported to Zeta Lisp, and ported by me over to Common Lisp). In my last heavily email-related job, I was actually hired as a full-time postmaster, though it turned out that being the postmaster was only one half of a double-time job, with the other half being cus

      • by ahodgson ( 74077 )

        It's more like 80% don't know anything about Internet standards or care to do any work whatsoever to try to follow them.

        • by shanen ( 462549 )

          It's more like 80% don't know anything about Internet standards or care to do any work whatsoever to try to follow them.

          Having actually worked as a postmaster several times I'm calling BS. However let's assume that I'm naive and that SMTP and the RFCs of those years no longer matter. After all web-based email is different in many ways.

          Why don't you clarify or add substance to your point? Specifically, why don't you explain why any postmaster (even a part-time postmaster), wouldn't want to save money by implementing DMARC (assuming that implementing DMARC would actually save money)?

          • by ahodgson ( 74077 )

            DMARC won't directly save you money. It is absolutely a good thing and you should implement it, since it keeps bad guys from sending email pretending to be you, but it requires you to know what you're doing, monitor the reports occasionally, help other people in your company understand why they can't just sign up a new ESP without knowing what SPF and DKIM are, and deal with other fallout. It also isn't compatible with many mailing lists, so sites with real end-users could have problems.

            Since SO many of the

            • by shanen ( 462549 )

              Your comment is unclear. I cannot even tell if you are disagreeing or agreeing with my comment, but more than that, it sounds like you are contradicting yourself. Perhaps you should clarify or I should assume that my economic perspective blinds me to your point or points.

              I find myself wondering what is the cost of allowing someone to impersonate my email server and what is the cost of delays in following the steps to stop it. Or maybe I should have explicitly mentioned the problem of false positives in the

              • by ahodgson ( 74077 )

                DMARC could save you money if it prevents what would otherwise be a successful phish from reaching your employees.

                DMARC could save you money if its use allows recipients to make better filtering decisions on your valid email.

                DMARC will cost you time to implement, which has a cost.

                DMARC might cost you money if you do it wrong and some of your valid email therefore does not reach its recipients.

                Only you can judge the actual costs or benefits of the above.

                • by shanen ( 462549 )

                  Reminds me of Benjamin Franklin's old tabular approach, though there are lots of variations since then. The basic idea is to make two lists, pro and con, and attempt to estimate the values.

                  However, in this case we already know the key result. 80% say nay, and that pretty much insures failure.

                  Then again, I may have a hammer problem and I just see DMARC as a badly bent nail. I think the best approach would be to ask the potential victims for help with an analytic webform. In several iterations of analysis and

    • by Anonymous Coward

      Then your users are pissed off about missing emails from an important client and lost a business deal. Good job IT nerd.

  • The real reason they aren't using it is because it's not mandated by anyone. All that would be needed is for the US gov. to mandate that companies taking credit cards to use it for all email (so that people not using it couldn't communicate with them) and it would be everywhere.

    • by nadass ( 3963991 )
      Yeah, just like compliance to existing PCI standards, HTML standards, OpenSSL and OpenSSH encryption libraries, and *not* using your Social Security Number as unique personal identifier... mandates are not really a thing in the open market.

      And last I checked, the US Government's regulations don't sway China Hot 100 companies because... China is not a territory governed by the US Government.
      • by geekoid ( 135745 )

        But when all the big players are doing it in the US, it will apply pressure to foreign companies.

        Especially because the 3rd day after implementing it, companies would be advertising while that are secure and other companies are not.

        • by Megane ( 129182 )
          But they already advertise that they are secure. Almost nobody will know the difference between one kind of security and another, so the masses won't even care. All they will care about is that now something is broken, and banks are giving them another hoop to jump through.
  • DMARC started as layer on top of SPF and DKIM to basically let companies prevent their customers getting scammed by phishing campaigns; generally being nice guys and perhaps saving a little reputation collateral damage for the imitated companies.

    Turns out the big use case for DMARC has nothing to do with protecting customers free of charge. It's "whaling"; phishing attacks on high-level (CxO) managers within the companies being scammed, costing literally millions of dollars. https://searchsecurity.techtar.. [techtarget.com]

    • Don't see how DMARC is all that useful against "whailing". Most of those are high level spearfishing attacks where the attacker has already gained access to some legit e-mail accounts and possibly the internal network in order to gather the information needed to craft a believable spearfish email
      • Re:Whaling (Score:4, Informative)

        by mwvdlee ( 775178 ) on Monday July 29, 2019 @01:55PM (#59007294) Homepage

        DMARC helps prevent this by making it harder to fake internal emails Typical spearfishing is still done with just basic knowledge of key employees (easily found) and corporate procedures and is still a numbers game; hoping that at least one of many attempts will work. Obviously if the scammer has hacked his way into their servers sufficiently to send DKIM-signed mail from an SPF approved server, DMARC will show the email as legit, but at that point a hacker can probably do more lucrative things than gamble that a spearfishing campaign works.
        Whaling is not some magic method that always works; it's basically phishing at a smaller scale at higher cost and greater profit margins but it still mostly fails as, surprise, managers are usually somewhat suspicious of unexpected multi-million dollar money transfer request. DMARC just provides an extra layer on top of basic human vigilance.

  • by Guspaz ( 556486 ) on Monday July 29, 2019 @01:26PM (#59007094)

    It (and its pre-requisites SPF and DKIM) are poorly documented and difficult to implement. I consider myself a fairly technical person and still had to spend an entire evening to get it set up.

    • by Anonymous Coward

      It is difficult. But it's actually completely free with no hidden gotcha costs.

    • by nadass ( 3963991 )
      I don't believe this research evaluated the implementation and enforcement of the DMARC protocol; rather, they simply scanned DNS records to see if the requisite public keys were configured across all primary/secondary domains of the companies.
    • It took me about a day to get it all worked out and a proposal for my company written.

      The implementation took about 20 minutes from start to finish.

      Yes, a little complicated because the best instructional reference is the RFC itself but it is not THAT complicated. (It's no IPv6 for example)

      If you are responsible for administering e-mail for your company, there is really no downside to setting this up along with DKIM and SPF.

      • by geekoid ( 135745 )

        but I can't figure it out easily, there fore it's haaaaaarrrrd and not worth it!

        A thing I've heard about pretty much every technical thing for the last 35 years.

    • by geekoid ( 135745 )

      "fairly technical person and still had to spend an entire evening to get it set up"

      one of these is not like the other.

    • It (and its pre-requisites SPF and DKIM) are poorly documented and difficult to implement.

      It's not so difficult that spammers can't do it. Every single SPAM I receive has valid SPF records in DNS and is correclty DKIM signed.

    • Well still, that's not bad. Probably took me a few hours too, but it was the lookup counts in our SPF records that were the real pain in my ass. Not that setting up DKIM selectors for all our marketing services was a snap. It wasn't. In the end though, it's just a DNS record. Waiting for the internal process of someone contacting our registrar to make the change probably took longer than everything else.

      Thing is, I now get all these DMARC reports that I don't know what to do with.

  • by Anonymous Coward

    "Around 79.7%"? Can't they be more specific? I would expect a number of at least 79.683%.

  • by Anonymous Coward

    DMARC is one of those lovely spam fighting policies that break mailing lists. This is a problem when you deal with Google that aggressive enforce it. The "solutions" aka From-rewrite are just plain ugly.

    • By those benchmarks, HTTP credit card payments are very broken in most web browsers.

      The Internet is not as safe a place as it used to be. Mailing lists are still possible - but need a modern approach. Just don't spoof the sender. Reply-to headers are useful if you need responses to go back to a different place.

    • by markus ( 2264 ) on Monday July 29, 2019 @01:58PM (#59007316) Homepage

      SPF and DKIM are both reasonable solutions to fighting counterfeit e-mail. In particular, SPF protects the envelope-From information. There are very good technical reasons, why it protects envelope-From, but doesn't protect header-From. DMARC completely ignores all of these technical considerations and erroneously uses SPF to verify the header-From. That's not was SPF was designed for, and not surprisingly all hell breaks loose when somebody does this.

      DMARC is (barely) usable for sending newsletters from the marketing department. It is utterly broken when being used to send person-to-person or person-to-group e-mails. No competent IT person would ever deploy it for anything other than newsletters. There is just too much risk that DMARC-enabled messages are treated as spam or, in the case of mailing lists, that they break everybody else's mail.

      DKIM and SPF on the other hand are reasonably sane, assuming they are managed by an IT department that knows what they are doing. I can't even begin to count the number of cases where I was contacted because my servers rejected incoming e-mail, only to point out to the sender that they had configured their own SPF record to mark all of their own e-mail as spam. I am friendly enough to help them fix their systems. But I wonder how many people have sent messages straight to spam folders once they enabled SPF for their domains.

      • by Anonymous Coward

        DKIM is not sensible or sane. If you want to use DKIM in your company it's your problem. I have a feeling some of our safeweb suppliers might use DKIM in R&D but I never want it on my intranet.

      • by davecb ( 6526 )
        It's a tiny technical contribution to the solution to a large economic problem. I expect the effect of its uptake is less than the margin of error of the study being cited (;-))
      • DMARC is (barely) usable for sending newsletters from the marketing department. It is utterly broken when being used to send person-to-person or person-to-group e-mails. No competent IT person would ever deploy it for anything other than newsletters.

        I don't know what you mean. It's actually less problematic when you deploy it for normal person-to-person email. Newsletters and automated emails are a bigger problem because you have less control over where the email is relayed from and whether they implement DKIM. If you don't have SPF and DKIM nailed, the DMARC doesn't do much.

        I think the whole thing is relatively reasonable, but the biggest problem I've run into is the limit on SPF lookups. I've seen lots of companies where they have automated emai

  • by EMN13 ( 11493 ) on Monday July 29, 2019 @01:42PM (#59007200) Homepage

    Ha. I had to implement DMARC for an organisation once, and I'm totally unsurprised nobody else is bothering to.

    To start with, DMARC is barely worth focusing on. It consists largely of SPF and DKIM (with some reporting added in). But both DKIM and SPF are a pain to setup and/or plain wrong or fragile.

    SPF won't survive forwarding; so that's right out: enable SPF, and *more* of your mail may end up in spam folders. I'm not sure what the designer of SPF was thinking, but clearly thinking wasn't high on their priorities.

    DKIM is, in principle, better. Except: it's pretty fragile, and breaks in unfortunate ways. Email processesing pipelines have traditionally had leeway to do all kinds of stuff to the message, and in particular the content. But with DKIM - if you so much as trim a trailing whitespace, or accidentally reorder a header, it silently breaks (but dmarc adds overcomplicated reporting, so if you're lucky you might have that set up right and tell something fishy is up).

    Also: validating the sender is all fine and good, but that's not what your email client is showing you, right? So even if everything worked just fine, it would be much more confusing than https - and I'm not sure people understand https, let alone email headers.

    And even if everything happens to work - this is really just the tip of the iceberg; it's far from simple, with reporting and whatnot. And better hope you never make a mistake or all kinds of mail will disappear into /dev/null thereafter. Also, in real organisations you may run into issues like department X does the website and has DNS control, but B does marketing and email... so let's just test that inter-department communication system, shall we? Since it's all complicated to set up, it takes a modicum of expertise too. Color me unsurprised that it's not taking the world by storm; it's confusing, expensive, fragile, risky, not really all that valuable, and there's no special interest group to push it.

    So... yaaaay, DMARC might, ever turn out to be a thing. Or not. But hey, at least we have a not-quite-solution to spam we can pretend we're aiming for.

    • by shanen ( 462549 )

      Hear, hear, and I'd give you another insightful mod point if I ever had one to give.

      Not having the mod point, I'll just comment on the main effect of the verification approaches on the spam that does arrive these days. Lots of the spam has thousands of characters of header information so the mail system will say moderately nice things about it before the spam filters throw it in the spam folder anyway.

      So why are the verification-based approaches failing so badly? Mostly because the cost of getting free emai

  • From my experience most organizations use either Gmail or Office 365 for their emails. The number of organizations that bother hosting their email servers is dropping, because it is a lot of IT work to keep and maintain, where your IT resources could be used to actually improving the business.

    So if Google and Microsoft doesn't use it, most organizations will not use it.

    • These services will only set all this up for you if you use default domains (gmail.com, onmicrosoft.com)

      If you use custom domains, you have a bit of set-up work to do because you need to update your DNS records.

      I set up DMARC on Office 365 for my company and it was not terribly difficult.

    • by geekoid ( 135745 )

      "most organizations use either Gmail "

      what? any companies larger then 50 million a year?

    • most organizations use either Gmail

      Maybe the smaller ones, but large ones with concerns for security do not. One software vendor I worked for (reasonably large) migrated to Office 365 when I started working there, before that they ran their email servers.

      because it is a lot of IT work to keep and maintain

      This is not my specialty, but I have set up personal email servers on occasion and once they were setup they basically looked after themselves. So I am not sure what you mean by it would take a lot of

  • by dskoll ( 99328 ) on Monday July 29, 2019 @01:51PM (#59007260) Homepage

    DMARC does absolutely nothing to prevent spoofing. You can compose an email whose From: header looks like this:

    From: <bad@phisher.org> "<trusted@bank.com> CEO of Your Bank"

    And it can pass SPF, pass DKIM, pass DMARC, and most email clients will not display the true sender address, but only what's inside the quotes. Sigh.

    • Re: (Score:2, Funny)

      by geekoid ( 135745 )

      "...does absolutely nothing to prevent spoofing."

      Maybe save the conversation for the experts, m'kay?

      • by Anonymous Coward on Monday July 29, 2019 @02:32PM (#59007556)

        dskoll is correct. DMARC does nothing to prevent phishing attacks that spoof the "Full Name" portion of the email address. If email clients would show the full email address rather than just the "Full Name" portion maybe people wouldn't be fooled as often.

    • If DMARC, SPF, and DKIM are all set up, then at least the email can be more easily identified as spam if it's not actually being sent by bad@phisher.org. If bad@phisher.org is actually sending the emails, then you can blacklist the domain, report abuse, and at least play whack-a-mole with that instead of having all email completely spoofed without any authentication.

      In addition to helping to prevent completely willy-nilly spoofing, DMARC also provides a scheme for getting reporting back on how your spam p

  • by Solandri ( 704621 ) on Monday July 29, 2019 @01:53PM (#59007266)
    "Phishing" has been around for at least a century, it just wasn't called that until the Internet age. If you run a business, you'll be inundated with scam letters dressed up to look like government notices, utility notices, and invoices. When I took over my dad's company, he gave me a letter he'd received saying our state Statement of Information filing was due. A few months later he found the letter and return envelope on my desk, and went ballistic asking me why I hadn't paid it yet. I told him I had - I'd paid $20 on the state website to file it. He was flabbergasted. For 30 years he'd been paying the scammer sending these letters $150 every 2 years to file it for him, because they always sent him a notice made to look like an official government notice and invoice. Later that year, our new accountant paid a $500 invoice for some magazine subscription renewal in my name. He later berated me for wasting company money on such an expensive subscription. I told him I didn't subscribe to any magazines, and what he had paid was probably a scam letter. They pull the CEO/president's name from company records, and made an invoice which looks like a subscription renewal of someone important, to try trick someone in accounting into paying it without questioning it because they don't want to bother the important person.

    I don't see how DMARC can stop something like this. Yes it'll prevent someone not from Bank of America from sending an email which looks like it's from bofa.com. But it won't prevent someone from statebusinessfilings.com from reminding you you need to file your statement of information via their website for $100. And in a way, it's arguably worse. Right now people are taught not to trust the From: line in an email. But if your company implements DMARC, then you're telling them they can trust the From: line in the email. So sometimes they can trust it, sometimes they can't. How many people do you think are going to keep straight which is which? If you're going to implement something like this, it needs to be everyone everywhere implementing it simultaneously. Otherwise it'll just cause more problems than it solves (people trusting the From: line on their email because they think it's protected by DMARC, when it turned out that that email service wasn't protected).
    • by shanen ( 462549 )

      No, it's not limited to email, but snail mail has NEVER created the degree of nuisance that email spam produces. It's a simple matter of cost, as in the marginal cost of email is effectively zero. SMTP was written for a good-neighbor universe of politely mutual back-scratchers, so they ignored the money part of it.

      Multiply the cost of a stamp by a million or a billion, and it's expensive. But the cost of email can pretend to be zero, so it doesn't matter how much you multiply it.

      Having said that, I think th

    • by Megane ( 129182 )
      And more appropriate to the user base of Slashdot, anyone who has a domain has probably received both snail-mail and e-mail from scammers who insist that your domain is expiring and that you must send them money right now. I mean, they will make sure that your domain is registered, but only after first re-registering it in their own name, so they can scam you more if you decide to use a different registrar, up to and including selling it off to the highest bidder.
    • Comment removed based on user account deletion
  • by Anonymous Coward

    DMARC protectsd your domain against spoofing, true.
    It doesn't protect users against phishing, as most phishing e-mail don not use spoofing of a company domain, but use a completely new, lookalike domain.

    DMARC won't protect against that.

  • by Anonymous Coward on Monday July 29, 2019 @02:44PM (#59007682)

    SPF/DKIM/DMARC isn't complicated to setup. It is however blamed (and removed) as soon as any exec in the company thinks someone didn't get their email because of it. I've deployed it at several companies and only one has kept it in place. The second biggest killer I've run into is when they use external vendors to send out emails and never bother to communicate with IT first, "our $XXX marketing push failed because no one got the messages!".

    The one company that has kept it is in a regulated industry, and has been the target of significant number of phishing/whaling attacks. They actually go even further. Every incoming message from an external source gets flagged and a warning message placed on the message. Any incoming message from an external source that has a display name name shared by an employee at manager level or higher gets pushed into a handling queue to be approved by Compliance before delivery. Compliance gets to decide if it is whitelisted to bypass this in the future.

Technology is dominated by those who manage what they do not understand.

Working...