Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

[W]e’re beefing up Yahoo! Mail’s SpamGuard by adding more security measures that make it much harder for phishers to get to your mailbox. We’ve teamed up with email authentication partners—namely, Authentication Metrics, eCert, Return Path, and Truedomain—to gain significant coverage to protect the prime targets of phishing attacks.

Phishing is a huge problem. I have an unprotected mailbox and get tens of dozens of phishing emails a day. But until there was a way to validate the sender of an email, rather than just the source IP, there wasn’t a good way to say that a particular email didn’t count.
SPF was one of the first attempts to solve this problem, but it didn’t do it very well. There were a number of very common uses of email that SPF didn’t accommodate.

Despite what the SPF crowd desperately wants to belive, there’s no simple way to tell what mail can legitimately be sent from what IPs. In some cases you can get pretty close, e.g., ESP spam cannon stuff, but even there plenty of people forward other accounts to gmail, which SPF doesn’t handle. — John Levine

Then there came Domain Keys and Identified Mail. Those two specs were close enough to one another that they merged into a single spec, DKIM. For the last few years significant numbers of people have been working to get DKIM stabilized and deployed.  That adoption and deployment lets companies build out products like YAMP and protect users from phishing.

Related Posts

Holomaxx dismisses part of lawsuit

Ken announced yesterday that Holomaxx dropped their suits against Ironport and ReturnPath. Suits against Yahoo and Hotmail are still active.
In the Yahoo case, there is a case management meeting on January 14th.
In the Microsoft case, a response the complaint is due by December 17th.
I’m not quite sure what happened to prompt this change, but I think it makes it even more unlikely that the case will be successful. The courts have repeatedly ruled in favor of ISPs in these kinds of cases.
EDIT: I’d link to Ken’s article, but I appear to have closed that tab and I can’t find it on his website. I’ll add it as soon as I do.
EDIT: Ken’s announcement

Read More

Phishing protection

Last week Return Path announced a new service: Domain Assurance. This service allows companies who send only authenticated email to protect their brand from phishing attacks. Participating ISPs will reject unauthenticated email from domains participating in this program.

Read More

Changes at Yahoo

Deliverability.com has a blog post from Naeem Kayani at Adknowledge about the recent Yahoo changes. They point to the reputation of the From: address as a factor. I’m not sure anyone knows what exactly Yahoo is doing, but the suggestions from Naeem are good ones.

Read More