Spf and Sophos Puremessage are working fine for my companies mail system. Not looking forward to implementing additional layers of complexity no matter how easy it is mean t to be :(
Anti-phishing DMARC adoption gathers (free) steam
The world's biggest names in the consumer webmail space are sharing security intelligence with businesses for free to help drive adoption of the DMARC email-authentication system. Last month, Google, Microsoft, AOL, Facebook, and Yahoo! joined up with service providers such as PayPal to push the Domain-based Message …
-
Saturday 25th February 2012 03:05 GMT Robert Carnegie
So will the next innovation in spam be...
...to hack PCs in respectable offices and use them to send spam with the stamp of respectability? And traceability, sure. But if you told our head techy guy that a PC in our network was sending spam, I donn't know when he'd get arround to dealing with it. Or even finding it.
Something important broke today, when it's Friday can we blame Anonymous now?
-
-
Sunday 26th February 2012 14:11 GMT Anonymous Coward
Pathetic uptake still.
SPF and DKIM have been around for years, but only a few percent of people use them, including me. If phishing targets such as banks and HMRC etc actually implemented the damn things, then we can completely eradicate phishing from spoofed domains.
Even paypal finally implemented SPF, but the "~all" policy doesn't go far enough IMHO.
hmrc.gov.uk is a prime phishing target, and that incomprehensibly still doesn't have any SPF record!
Many online dns providers still don't provide txt or spf fields for users to add policies.
I'm fortunate that I have my own domain servers to configure as I wish.
When will those that should be protecting their identities actually start doing it?
and when will those receiving mail actually include spf/dkim checks?
How will DMARC make any difference if adoption is similarly pathetic?
-
-
Monday 27th February 2012 00:51 GMT Shannon Jacobs
Re: Check that invitation list
While it would be nice if everyone followed the standard (or SOME standard among many), that seems to be rather too much to hope for. However, keeping track of the trivial exceptions (such as non-standard email addresses) is the kind of thin that computers are quite good at. When that doesn't work, it should be possible to escalate to find SOMEONE who is willing to act in a responsible party. Yeah, I know that it's pretty hard to escalate above the google these years, which is especially awkward as they follow their tao of EVIL.
However, all in all, this does seem to be an improvement, and I even think that part of the idea seems to be stolen from something I've been advocating for a while. The main difference here is that the lowest level victims (like you and me) aren't properly included in this system. Just a small percentage of us who are willing to volunteer a bit of time could make the lives of the spammers into miserable hellholes. Oh wait. I forgot. Spammers are already living in miserable hellholes--but at least we can try harder to make them less profitable hellholes.
Let's reword the issue a bit: If you had a strong and convenient anti-spam tool, would you use it? I'm talking about something like SpamCop on steroids. Rather than one round looking for ISPs and webhosts, it would go several rounds of refinements, going after ALL of the spammers' infrastructure and ALL of the spammers' accomplices and ALL of the spammers' victims. In addition, it would have 'other' options so we could help recognize the spammers' latest wrinkles BEFORE the spammer can get any money. Would you participate? Would you like to become a spam-fighter first class?
-