Iconix Phishing Protection

A couple days ago I received email from Paypal titled “New PayPal Plug-In – Shop anywhere online.” That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal’s servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, “DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity” through the use of a cryptographic hash.
If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?
A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.
Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message’s “display From” will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.
Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn’t immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender’s email address is sent to Iconix.
The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, “how can ma and pa kettle obtain a reasonable level of trust in email”, it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.
While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.
– update – 6/11 – fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.

2 Comments

  1. Hi Roger,
    Nice blog, thanks for the write up of Iconix!
    Couple of notes:
    1. We actually do support Firefox (versions 1.5, 2.0 and soon 3.0). Perhaps you were talking about lack of support for Thunderbird since you mentioned that at the end of your blog as well?
    2. We currently mark messages for over 500 companies. The current list of companies intersects a lot of consumer’s inboxes today. Look to see this list grow by the thousands soon!
    3. We chose not to display authentication results alone as that can be deceiving. Bad guys can just as easily authenticate their mail. For instance, a bad guy could register and authenticate the domain http://www.paypalsecure.com and send email as [email protected] and it will pass authentication, because it is actually from that (bad) domain. As a user, you still don’t know if it is actually from the brand PayPal. That is why it is important that we take it a step further and make sure messages are from domains on our list.
    By the way – PayPal, eBay and TrendMicro users are always asking for us to add their favorite company. Anyone can submit by going here: http://www.iconix.com/protectsites.php
    Regards,
    Audian Paxson
    Director, Product Management
    ICONIX, Inc.

  2. Thanks for the read.
    You’re right, I meant Thunderbird not Firefox, I did see you have support for accessing webmail through Firefox. I’ll update that.
    I understand why you’re doing it the way you are. I’d love it if you had a “expert” mode for people who do know what spf and domainkeys are for. I understand that just because its from a authenticated sender (google) that doesn’t mean its not phishing. Some with your example, the spammers did widely adopt spf first. That doesn’t mean spf is broken.
    I like the product. I’m using it and will recommend it to others.

Comments are closed.