DMARC is not the solution to E-mail Fraud.

stacks of money

The latest craze in E-mail security appears to be DMARC. Let me preface my post by saying I use DMARC, I use SPF and I use DKIM. I understand that people are mostly up in arms about the importance of DMARC because of how many major organizations haven’t adopted it. I understand it’s importance.

Problems with DMARC

Here’s the issue as I see it. DMARC does not solve phishing E-mails. It doesn’t do much more than SPF already does, and it doesn’t solve trust or identity in E-mail.

DMARC requires compliance by the recipient server to function at all, and all it does is tell the recipient to reject, quarantine, or allow fraudulent E-mails, a feature that SPF already provides.

This prevents someone from sending email from “custserv@paypal.com” but it doesn’t do anything to prevent them from sending an email from “custserv@payypal.com” which is how a huge number of phishing attacks are launched.

Oh and DMARC gives you some forensic information on who is sending fake E-mails from your domain. Which is completely useless in a high traffic real world scenario because you can’t take any effective action against the perpetrators.

Key Pair Signing & Encryption, a Real Solution.

Meanwhile we have PGP/GPG signatures which would, if properly implemented, provide a user friendly means of identifying the sender of an E-mail and verifying the integrity of an E-mail. But these have been completely disregarded by nearly 100% of organizations as “too difficult” to implement. Seriously, why doesn’t GMAIL come with a ‘PGP’ button?

PGP is arguably easier to implement worldwide than SPF + DKIM + DMARC. All you need to do is create the functionality client-side to create keys manage keyrings and interact with key databases. Compare this with setting up 3 different inline mail verification tools on every E-mail server in the world plus a slew of DNS records which can instruct servers to pass fake E-mails along without notifying the end users at all of suspicion.

Why are we being sold this half-assed solution to E-mail fraud when the real answer has existed for decades and would be easier to implement? If someone can explain why DMARC is being treated as the holy grail of E-mail security I would really appreciate it.

GPG/PGP is “Too Hard” for End Users

Bullshit. The difficulty of PGP/GPG has nothing to do with the technology and everything to do with the lack of proper support in E-mail clients. End Users don’t need to understand the technology at all, they just need a button that creates a key and publishes it to public key databases. The process is no more complicated than adding people to the address book on your phone.

Paranoid Conclusion

Using keypairs to verify authenticity of E-mail comes with a bonus feature, they can be used to encrypt E-mail to the point that it is “uncrackable”. Adding the signing capability to a service like GMAIL would also make it a lot easier for users to encrypt their E-mail, which would destroy Google’s business model since they read all of your E-mail to gather data. This is probably the #1 reason why keypairs have been ignored, with the #2 reason being pressure from world governments.

Your Thoughts?

My paranoid conclusion is not the only possible scenario, I would love to hear the opinions of other internet security experts on this issue.

Some Good News

You can implement PGP/GPG in your own E-mail and start using it with your friends, family and colleagues right away. And you should.  Visit the Electronic Frontier Foundation website to find some simple step by step tutorials for all platforms.

My Public Key: https://tailpuff.net/keys/

System Adminsitrators: Disregard “Reputation” when fighting SPAM

Envelope with an @ symbol

Preface

A number of companies offer a service where they provide “reputation” scores for various domains and IP addresses based on reports of SPAM originating from those networks. These “reputations” are meaningless however, and E-mail Server Administrators should completely disregard them, for a number of reasons.

One: False Reporting

Probably the most significant issue is that the majority of E-mail reported as SPAM, does not actually fit the definition. SPAM is clearly defined as Unsolicited Bulk E-mail. The first requirement is it must be unsolicited. If you do business with a company, you sign up on their website or you order a thing or you just send feedback to an E-mail address of theirs, you have opted in to receive E-mail from that company. Under the rules of the CAN-SPAM act that company has to include in it’s marketing E-mails a link which allows you to easily unsubscribe from those newsletters, but because you initiated contact with that company it is by definition not “Unsolicited”.

The second requirement is that the E-mail has to be bulk E-mail. This means it has to be sent to a lot of people, and is not targeting specific individuals or businesses. If you post a comment on a website forum about gardening, and another reader of that forum builds a mailing list which includes your name and then sends you individual marketing information about his gardening products, that is not SPAM. It may be unsolicited, but it does not qualify as bulk, because he is targeting you as an individual.

Most users don’t understand these requirements. The average person in our society believes that SPAM is any E-mail they don’t explicitly want to receive. And they will often click the “SPAM” button in their E-mail clients when they should instead be clicking the “Unsubscribe” button in those E-mails. For this reason, the vast majority of SPAM reports, which “reputation scores” are based on, are false.

Two: Maintenance

It is practically impossible for the operators of reputation lists to maintain those lists with anything resembling accuracy. A lot of spammers will rent cheap servers from legitimate providers (those with a zero tolerance for abusive customers such as spammers), send millions of SPAM emails from their cheap server, and then when they get booted off they order a new server under a new identity. A lot of SPAM is also sent using servers which have been compromised because their owners are not keeping them secure. The result of this is that the IP addresses of those servers or even their parent networks get a lower reputation. Digital Ocean is a great example, they have a strict zero tolerance policy toward SPAM, but Outlook.com will often block entire subnets of the Digital Ocean IP range, because of the momentary behavior of a few unrelated servers on their network. The people selling these “reputation” lists are not checking up on individual IPs every week to see if the SPAM has stopped or if the operators of those IPs have been booted off the network. The information is almost always going to be outdated.

Three: It hurts legitimate businesses

One of the greatest things about The Internet is how it empowers any person to create small businesses from nothing. It’s extremely cheap to set up a website and start operating a business. It is extremely frustrating when you are a small business owner, to discover you can’t email one of your customers because they use Outlook.com for their E-mail, and you use a respectable hosting provider who just happens to be blocked by Outlook.com’s idiotic reputation list.

Four: There are better ways

There is an accepted “best practice” for E-mail Server Administrators to deal with the threat of SPAM. E-mail which is suspicious should be shuffled into a “Junk” folder in the recipient’s inbox, where it can still be reviewed. There are a number of tools available to help identify suspicious E-mail. A sender’s DNS information should include an SPF record, which tells recipients which IP addresses are authorized to send E-mail on behalf of that domain name. It should include a DKIM public key, which is used to verify the authenticity of each individual E-mail by comparing it against the DKIM signature which should be in the headers of all outgoing E-mails, and it should include a DMARC record which instructs recipients on precisely what steps should be taken when an E-mail fails either the SPF or DKIM tests. These methods are effective at identifying the majority of SPAM. For example any SPAM sent from hijacked servers is going to fail both the SPF and DKIM tests.

In addition to this, there are public “Blacklists”. Unlike “Reputation Lists”, the publically maintained domain blacklists are actually trusted. They contain lists of Domains which have contributed obscenely to the SPAM problem. Furthermore there are steps which can be taken to have a domain removed from a blacklist. It’s possible to check the status of your domain name and see if it is on any of the public blacklists, because they are not commercial services. Reputation Lists are commercial products and so a provider of those services is not necessarily going to let you see your own score unless you pay them, which makes it impossible for a domain owner to petition for changes. On top of this, some “Reputation Lists” are known to take bribes to “whitelist” your domain name. The public and trusted blacklists cannot be paid off.

Conclusion: Reputation Lists are garbage

So to summarize, if you are an E-mail Server Administrator, do not use “Reputation Scores” to identify SPAM. Use Blacklists, ensure that your server is performing tests against SPF and DKIM, and following recommended behavior in DMARC records. Configure your server to label suspicious E-mails as potential SPAM, and dump those into a “Junk” sub-folder of your users’ Inbox. Encourage your users to try the “Unsubscribe” link instead of reporting an E-mail as SPAM.

If you try SPAM filtering methods which are too aggressive, you are going to lose users. As an E-mail Server Administrator, your first priority is to ensure that 100% of legitimate E-mails sent to your users are reaching their destination. Everything else is secondary, and if you can’t provide that then your users are going to find someone else who will.