Google, Facebook, Microsoft in PHISH-FIGHTING smackdown Google, Facebook and other internet heavyweights are collaborating together to back a standard designed to curtail phishing by improving the collaboration between legitimate senders and receivers of emails. Microsoft, Yahoo and PayPal are teaming up to push DMARC (Domain-based Message Authentication, Reporting & Conformance), …
was along the lines of "oh, more crap like DKIM and DomainKeys in the headers then?" Because that worked so well the last time it tried. Seems to simply be a mix-up of DKIM and SPF and a big fat push from a couple "giants" behind it. Well, nice press releases and happy faces all around then.
Except for the spammers (one hopes, but maybe not) and the obligatory naysayers*. So far, those pesky buggers haven't been disproved. There's always hoping they will be this time, eh?
* http://yro.slashdot.org/comments.pl?sid=2645355&cid=38866277
At least the spammers will have to use more spelling variations of the names of the companies that they are abusing. Of course, looking at how the Internet goes these days, I'm beginning to wonder if any company still has a reputation or brand name worth defending...
Hey, why don't they give US some better tools to help fight the spammers? You know the spammers are going to come up with new wrinkles, but there are two fundamental characteristics of the spam situation that can't be changed:
(1) Most of the crucial numbers are actually against the spammers. I think the most important ratio is that there are very few suckers who are sending money to spammers versus a whole lot of people who hate spam. (The main number in favor of the spammers is the marginal cost of additional email, but that's SMTP for you, no matter how much we wish it would go away.)
(2) The spam that has to reach a human sucker can't be obfuscated beyond the capability of the sucker to understand it, and that means that a less foolish human can understand how to fight it.
My suggestion would be for a major non-evil, web-based, competent email company to implement something like SpamCop on steroids. Rather than one iteration looking for ISPs and webhosts, it would go several iterations and go after ALL of the spammers' infrastructure and accomplices (and also help the victimized companies as in this new technique)--along with 'other' options to quickly open fire on any new wrinkle the spammers think up.
I predict that as soon as one of the big boys adopt it, the others would pile on quickly. I'm not saying that we could turn the spammers into decent human beings. I don't believe in such miracles, but I do think we can push them under less visible rocks--and that the Internet would be much more valuable for ALL of us if there were far fewer spammers and scammers being so visible.
DMARC protects only the actual domain. But, as the Antiphishing Working Group has reported, the actual domain name isn't very important to phishers:
"Most maliciously registered domain strings offered nothing to confuse a potential victim. Placing brand names or variations thereof in the domain name itself is not a favored tactic,since brand owners are proactively scanning Internet zone files for such names. As we have observed in the past, the domain name itself usually does not matter to phishers, and a domain name of any meaning, or no meaning at all, in any TLD, will usually do."
Global Phishing Survey: Trends and Domain Name Use in 1 H 2011, Page 15.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
