Step 1

Enter your contact information.

Step 2

Enter your project information.

Step 3

Choose the PHP programmers you want to hire.

Compare Free PHP Quotes





Country



Google, Microsoft, Yahoo, PayPal Go After Phishers With New E-Mail Authentication Effort

*Attention PHP Programmers* - Add A Free Listing! Get more clients.

Win a new Compaq Presario Notebook!

Major e-mail providers, including Google, Microsoft, and Yahoo are teaming up with PayPal, Facebook, LinkedIn, and more, to implement a new system for authenticating e-mail senders to try to prevent the sending of fraudulent spam and phishing messages.

The protocol that powers e-mail, SMTP, dates back to a more trusting era; a time when the only people who sent you e-mails were people you wanted to send you e-mails. SMTP servers are willing to accept pretty much any e-mail destined for a mailbox they know about (which is, admittedly, an improvement on how things used to be, when they’d accept e-mails even for mailboxes they didn’t know about), a fact which spammers and phishers exploit daily.

Making any fundamental changes to SMTP itself is nigh impossible; there are too many e-mail servers, and they all have to interoperate with each other, an insurmountable hurdle for any major change. So what we’re left with is all manner of additional systems that are designed to give SMTP servers a bit more information about the person sending the e-mail, so that they can judge whether or not they really want to accept the message.

The two main systems in use today are called SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). Both systems use DNS to publish extra information about the e-mail sender’s domain. SPF tells the receiving server which outgoing servers are allowed to send mail for a given domain; if the receiving server receives mail from a server not on the list, it should assume that the mail is fraudulent. DKIM embeds a cryptographic signature to e-mail messages and an indication of which DNS entry to examine. The receiving server can then look up the DNS entry and use the data it finds to verify the signature.

These systems are not perfect; though both are used widely, they haven’t been adopted universally. This means that some legitimate mail will arrive that doesn’t have SPF or DKIM DNS entries, and so mail servers can’t depend on its presence. Common legitimate operations can also break them; many mailing list programs add footers to messages, which will cause rejection by DKIM, and forwarding e-mails causes rejection by SPF. As a result, failing one or other test is not a good reason to reject a message.

These systems also make it hard to diagnose misconfigurations; receiving servers will typically just swallow or ignore mails sent by systems with bad SPF or DKIM configurations.

The large group of companies, which includes the biggest web mail servers and some of the most common corporate victims of phishing attempts, is proposing a new scheme, DMARC (“Domain-based Message Authentication, Reporting & Conformance”), in an attempt to tackle these problems. DMARC fills some of the gaps in SPF and DKIM, making them more trustworthy.

DMARC's position within the mail receipt process (illustration by dmarc.org)

DMARC is based on work done by Paypal in conjunction with Yahoo, and later extended to Gmail. This initial work resulted in a substantial reduction in the number of PayPal phishing attempts seen by users of those mail providers, and DMARC is an attempt to extend that to more organizations. As with SPF and DKIM, DMARC depends on storing extra information about the sender in DNS. This information tells receiving mail servers how to handle messages that fail the SPF or DKIM tests, and how critical the two tests are. The sender can tell recipient servers to reject messages that fail SPF and DKIM outright, to quarantine them somehow (for example, putting them into a spam folder), or to accept the mail normally and send a report of the failure back to the sender.

In turn, this makes SPF and DKIM much safer for organizations to deploy. They can start with the “notification” mode, confident that no mail will be lost if they have made a mistake, and use the information learned to repair any errors. DMARC also allows recipients to know if a domain should be using SPF and DKIM in the first place.

Without a global rollout, DMARC can’t solve all phishing and spam problems. The companies that have signed up to support the project include major recipients of phishing attempts—the various free e-mail providers—and sites against which phishing attacks are regularly made. Mail sent between the organizations will be verified using the SPF/DKIM/DMARC trifecta. Anyone using the major mail providers and the major services should see a substantial reduction in fraudulent mail. Senders and recipients who want to receive similar protection can implement DMARC themselves by following the specification that the DMARC group is working on.

Given the constraints imposed by SMTP, we may never get an e-mail system that is entirely free of malicious and annoying junk. SMTP e-mail was never designed to be trustworthy, and systems like SPF and DKIM are constrained by the inadequacies of SMTP’s design. Nonetheless, mechanisms such as DMARC can still make a big difference, and with the support of these major companies, e-mail might get that little bit safer.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Illustration by dmarc.org

Source http://www.webmonkey.com/?p=54128
Tue, 31 Jan 2012 15:18:00 GMT
Tags: e-mail, Security, servers, Web Basics,

*Attention PHP Programmers* - Add A Free Listing! Get more clients.

e-mail

Security

HTTPS Is More Secure, So Why Isn’t the Web Using It?

You wouldn’t write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection, that’s essentiall

It’s World Backup Day, Do You Know Where Your Files Are?

Amazon’s recent leap into the world of online backups, with its new CloudDrive service, is just one of several dozen ways you can backup your files. And, as anyone with a failed hard drive can tell you, there’s no such thing as too many backup

EFF Wants to Secure the Web With “HTTPS Now” Campaign

The Electronic Frontier Foundation (EFF) has kicked off a new “HTTPS Now” campaign to educate consumers and help “make web surfing safer.” The new campaign is a two part effort. First the EFF would like to encourage users to instal

servers

OpenDNS and Google Working with CDNs on DNS Speedup

A group of DNS providers and content delivery network (CDN) companies have devised a new extension to the DNS protocol that that aims to more effectively direct users to the closest CDN endpoint. Google, OpenDNS, BitGravity, EdgeCast, and CDNetworks are a

Open Source Upstart Nginx Surpasses Microsoft Server

The venerable Apache web server continues to dominate the web server market, but its open source rival Nginx has already overtaken Microsoft's IIS to become the second most popular server on the web.

Protest SOPA: Black Out Your Website the Google-Friendly Way

Google has some advice for anyone who would like to black out their site to protest the SOPA/PIPA/OPEN legislation, while ensuring that doing so doesn’t harm their Google search rank or indexed content.

Members:
Stevenage
IceStar Media Ltd. Profile
IceStar Media Ltd.

IceStar Media are a successful team of website designers, IT consultants and software programmers who have a proven track record in designing and delivering reliable business applications and websites

Stevenage, England GB
Dumaguete City
RetiredCoder Profile
RetiredCoder

I retired 4 years ago at 32 & I'm now living in the Philippines. With 16 years experience in PHP/MySQL/JavaScript development, my passion is code. My work always exceeds expectations.

Dumaguete City, Central Visayas PH
Franklin
Spectrum Nashville Profile
Spectrum Nashville

Spectrum Nashville is committed to providing reasonable, excellent business technology solutions that simply work.

Franklin, Tennessee US
Lahore
id4brands Profile
id4brands

I am Graphics Designer, I have Experience in this Field more than 10 years. i mostly work in print field. Products Catalog, e-catalog, brochures, flyers, brands names. logos. business cards.

Lahore, Punjab PK
Lagos
Simmie-Tech IT Training and Consultancy Profile
Simmie-Tech IT Training and Consultancy

Specializes in all aspects of Software Engineering such as Web Design/Developments, Software Developments, Database Administrations, Graphics Designs and so on

Lagos, Lagos NG
Design Leads


PHP Programmers Valid HTML 4.0 Transitional Valid CSS!

Adobe Confirms: No Flash for Chrome on Android

Chrome for Android has finally arrived, but there's one thing missing -- Adobe's Flash Player for Mo


Future Chrome Version May Choose Your Passwords, and Change Them When You’ve Been Hacked

Google is experimenting with a security system that automatically generates passwords for users of i


Google’s New Search Algorithm to Crack Down on ‘Black Hat Webspam’

Google has once again updated its ranking and page layout algorithms in an effort to stop spammy web


Firefox: The Emperor Wears No Versions

Firefox creates a kerfuffle in announcing it will drop version numbers from the popular web browser'


NodeJS cURL Tutorial

NodeJS is a powerful evented Javascript platform running on top of Google’s V8 javascript e


Article Tags
PHP Programmers Articles
Browsers| Web Standards| CSS| HTML5| Web Basics| firefox| Programming| Web Services| Mobile| JavaScript| Web Development| Multimedia| Visual Design| chrome| Google| responsive design| This Week in Web| CSS 3| Opera| Social|
Friends:
Live Help Chat Software
Web Design Quote
Web Design