Last year, Microsoft led other companies on a successful crusade to shut down some of the world's biggest botnets, networks of hijacked PCs that pump out spam and malware.
Now Microsoft is joining forces with Facebook, Yahoo, PayPal, Google and others to take on an even tougher foe: phishing emails, which fool recipients into thinking they come from a trustworthy source and get ordinary people to download malware and spyware.
The five tech titans and 10 other companies today (Jan. 30) will announce the DMARC specification, which is already helping to authenticate email messages on Web-based email services such as AOL, Google's Gmail, Microsoft's Hotmail, Yahoo Mail and others.
"With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more," reads an explanation on the DMARC website's homepage. "Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users."
The technology behind DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance", isn't new. Gmail has been quietly using it for a couple of years already, and offers an option so that a gold-key icon will appear next to a verified email.
"The DMARC specification creates a scalable communication channel between every sender and every receiver and has the power to substantially reduce the damage of phishing — for end users that are subject to these attacks and to the senders whose brand is on the line," wrote Sam Masiello, general manager and chief security officer of the email security company ReturnPath, which is also a member of the DMARC alliance.
Other email authentication standards are also in use, which has resulted in a fragmented and unreliable security situation, according to DMARC's participants. DMARC will try to correct that by creating a common standard for all websites and online services to use. Its backers hope that if enough companies and organizations sign on, it will result in "herd immunity" that will stamp out most phishing emails.
Besides the companies named above, the members of the DMARC alliance include Bank of America, Fidelity Investments, LinkedIn, the greeting-card company American Greetings and the email security companies Agari and Cloudmark. Also participating are the industry groups the Trusted Domain project, the online financial-services organization BITS.org, the Messaging Anti-Abuse Working Group and the Online Trust Alliance.