Phishing must be a very lucrative hobby. There seems to be plenty of hasty readers who immediately buy into it and happily respond, entering their password without hesitation when prompted and voluntarily giving all of their login information to the guys in Lagos or Vladivostok.

A typical phishing e-mail from a ‘bank’ (usually one where you don’t even have an account) will read as follows: “Dear Value Customer, Our records recently showed that your account with UBS was likely accessed by an unauthorized third party. The security of your account is very importance to us. We have therefore temporarily stopped your account. To start full access to your account, you must recover your details and confirm your account by click this link. Once your informations has been checked and confirmed, you will receive our notification and full access to your account will be started up again. Thanks for your collaboration.”

Casting the phishing nets!
Wherever phishers loom, there should also be a phishing warden on duty. In other words, a mechanism that doesn’t even let these bad boys’ e-mails get to your inbox. One of many buzzwords is DMARC, which stands for domain-based message authentication, reporting & conformance.

Phisherman's Enemy

These acronyms sound almost like pretty secure passwords themselves… but the idea is really quite simple: SPF (sender policy framework) and DKIM (domainkeys identified mail) are e-mail authentication methods that are needed to use DMARC. They exist to ensure that e-mail providers and other e-mail recipients are able to identify the actual sender of an incoming message.
Let’s first take a look at SPF: if, for instance, an e-mail provider’s server receives an e-mail from the sender with the server IP address 213.321.50.1, SPF checks the domain to verify whether this IP address is actually authorized to send e-mails from this domain. If it passes the check, the e-mail is accepted; if it doesn’t, the e-mail lands in the spam folder.
DKIM is also an authentication tool. The e-mail includes a digital signature, which the recipient server verifies using the public key obtained from the domain name system (DNS) of the domain. If this verification fails, the recipient mail transfer agent (MTA) or the recipient application rejects the e-mail or sends it straight to the spam folder.

Authentication systems are not spam filters
DMARC or SPF and DKIM define how the e-mail recipient performs the authentication. SPF mainly describes who is allowed to send e-mails, whereas DKIM checks whether the e-mail has originated from the sender without being altered. According to the DMARC specification, the sender can also set how the recipient handles an e-mail that fails to pass the SPF and/or DKIM check.
The primary function of these authentication mechanisms is therefore not to filter spam. Rather, they limit the ability to mask sender addresses. This also allows senders to certify the authenticity of their e-mails. If this certification is missing, the recipient knows that there is a counterfeiter, spammer or phisher at work.
The net to catch spam and phishing e-mails has therefore been cast! Still, there will always be some unwelcome e-mails that fall through the cracks. Spam filters – with various checks that are constantly being improved – do the rest. Their main function is to analyze the content and filter out deals for Viagra and other junk mail.

Additional practical information about SPF
Additional practical information about DKIM
Additional practical information about DMARC

Phisherman’s Enemy

Sandro Bertschinger

He didn't find computers very interesting for quite some time. An Amiga 500 as a games machine was the high point at that time. Computers began to move into his focus with the advent of the internet and the possibility of building cool websites. In 2001, he crossed paths with an internet company by coincidence.