DKIM and SPF, two things that companies can do you help lower, not stop, but at least lower, the types of attacks that can be pulled off using their name. Recent research by Secure Computing shows that just over two hundred of the Fortune 500 fail to use either one of the forgery countermeasures. This is in contrast to the Sendmail findings that about ninety percent of the Fortune 1000 use SPF or DKIM to fight fraud.
A recent study of the Fortune 500 shows that some of them are still not using SPF and SKIM. (IMG:J.Anderson)
SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) can be used by anyone. They help protect the integrity of email by proving that the sender of the email was authorized to send it in the first place. Both protocols are being touted and have been proven to fight Phishing, Spam and other types of email spoofing. Most ISP services are moving to reject email that fails to use SPF or DKIM in one form or another as Spam.
The test by Secure Computing looked at the all of the primary domains used by the Fortune 500, instead of a random sampling. Sendmail tested two hundred eighty-five domains, and found that ninety percent of them used SPF (256 total to be exact). The results were not what was expected according to Secure, “A mere 202 companies, when you account for the companies running both technologies - 40% of the Fortune 500. To make matters worse, only 65 of the 167 companies using SPF included the -all policy, which causes a fail result to be sent if the IP address is not found explicitly in the policy.”
Another issue that stood out was financial companies who were not using either technology, “Most financial institutions and credit card companies were set up to use SPF, however we still found some very well known banks using neither. This was quite surprising as these were institutions that had been targeted for Phishing attacks on several occasions.”
Why are DKIM and SPF being underutilized? Is it a lack of knowledge or information on the technologies? The Tech Herald spoke to Research Scientist, Jon Zdziarski, of Secure Computing’s TrustedSource.org, he went on record and tried to address this.
“Deploying SPF or DKIM is effortless in itself, but it requires one thing which many large companies might struggle with, and that's controlling the flow of email coming out of their company. Traveling sales people, home offices, and multiple business offices all make it difficult to keep track of what IP addresses mail is coming out of. Smart companies are deploying VPNs to keep the company on one logical network, and authenticated mail servers can also be used to allow employees at hotels and other remote locations to send mail. Setting these up, however takes resources - quite a few if you're dealing with thousands of employees,” Zdziarski said.
“Many large industrial companies may not have considered SPF or DKIM because they don't perceive themselves as phishing targets, however spoofing and spear phishing could still be used to target one of these. Clearly, not enough people who need to be running SPF/DKIM are, as only half of the 44 sites with sign-ons on their main page are using it. With that said, most of the major banks and credit card companies seem to have taken the time to set up SPF or DKIM, but I encourage customers to check their own bank out.”
SPF and DKIM are new, but in reality they have been around for sometime. So why is it taking so long to deploy? “As to why this is taking so long, part of the challenge that companies have to overcome is the "old school" netiquette, which has been in place forever - and that is to use the mail server on the network your machine is using. Over the past several years, this philosophy has done a full 180, but there are many infrastructures lagging behind due to the way things used to be. A company that is outsourcing email as a managed service might suffer from even more headaches if their infrastructure is outside of their immediate control,” Zdziarski explained.
As mentioned, one of the findings in the Secure Computing study was that only 65 of the 167 companies using SPF included the -all policy. What problems are there with using -all over ~all?
“As far as -all vs. ~all, the -all is the most secure, and really the only one with teeth. This recommends that any mail not specifically from an approved network or IP address be rejected. The ~all token, on the other hand, is a "soft fail", which is intended to signify that the host is in "transition"; e.g. "we're still setting up our network". It's the equivalent of saying "malfunction". This recommends the recipient accept the message, but mark it as having failed SPF checks. I was equally surprised to find that many hosts used the ?all ("neutral") token, which is even worse - it tells the recipient that it hasn't got anything to say about the validity of the IP address, which is the same as having no SPF records at all. This method will only verify known good addresses, leaving the rest to ambiguous speculation.”
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)