Internet industry plans common standard to fight phishing email

The world's leading internet companies have formed an industry-wide group to fight back against phishing attacks.

Email providers such as Google, Microsoft and Yahoo, along with internet security and financial organisations, such as Paypal, want to develop a better way to authenticate who has sent an email.

They believe that by developing a common technical standard, Domain-based Message Authentication, Reporting & Conformance (DMARC), it will be easier to stop phishing emails getting through to people's inboxes.

Rob Skinner of Paypal said: "The key point is trying to block emails from getting to someone's inbox - taking the worry and concern out of people's minds and doing it for them."

Phishing attacks try to fool people into handing over personal information such as bank and credit card account details and passwords. They have become increasingly sophisticated and it can be extremely hard for people to tell a phishing email from a legitimate one.

At the moment, the Anti-Phishing Working Group, an international consortium of businesses set up in 2003, has estimated that each month there are between 20,000 and 25,000 unique phishing attacks.

The problem for email providers is that the companies that do authenticate their emails, such as banks, use different technologies to do this.

Unless these companies contact every email provider, saying what authentication method they are using, genuine emails end up being blocked and phishing emails get through.

The common standard proposed by DMARC would use two existing authentication technologies, which would make it easier for email providers such as Google to check an email against these. If the email doesn't pass these authentication technologies the email can be blocked.

"Users can't tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users.

"Senders remain largely unaware of problems with their authentication practices because there's no scalable way for them to indicate they want feedback and where it should be sent.

"Those attempting new SPF and DKIM [email authentication methods] deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.

"DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse," the group said.

The DMARC group will now sent a draft proposal to the Internet Engineering Task Force, which develops internet standards. Companies can comment, make suggestions or put in alternative proposals