BLOG

Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

[W]e’re beefing up Yahoo! Mail’s SpamGuard by adding more security measures that make it much harder for phishers to get to your mailbox. We’ve teamed up with email authentication partners—namely, Authentication Metrics, eCert, Return Path, and Truedomain—to gain significant coverage to protect the prime targets of phishing attacks.

Phishing is a huge problem. I have an unprotected mailbox and get tens of dozens of phishing emails a day. But until there was a way to validate the sender of an email, rather than just the source IP, there wasn’t a good way to say that a particular email didn’t count.

SPF was one of the first attempts to solve this problem, but it didn’t do it very well. There were a number of very common uses of email that SPF didn’t accommodate.

Despite what the SPF crowd desperately wants to belive, there’s no simple way to tell what mail can legitimately be sent from what IPs. In some cases you can get pretty close, e.g., ESP spam cannon stuff, but even there plenty of people forward other accounts to gmail, which SPF doesn’t handle. — John Levine

Then there came Domain Keys and Identified Mail. Those two specs were close enough to one another that they merged into a single spec, DKIM. For the last few years significant numbers of people have been working to get DKIM stabilized and deployed.  That adoption and deployment lets companies build out products like YAMP and protect users from phishing.

Comment:

Your email address will not be published. Required fields are marked *

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment


  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


  • Blogging

    It's been a wild week here in the US. I have to admit, the current political climate is affecting my ability to blog about email. I've always said email is not life or death. And how can I focus on the minutia of deliverability when things are in such turmoil and uncertainty? There are many things I want to write about, including some resources for those of us who are struggling with the current administration and changes in the US. What we can do. What we must do.  It just takes work and focus I don't have right now.    1 Comment


Archives