An increasing number of spammers are using fake Facebook email addresses to bypass spam filters and clog up recipients’ mailboxes. The spammers’ trick works because many mail systems don’t verify the sender’s email address.
The Hypervisor estimates that in recent weeks around half the spam hitting our mailboxes claimed to be from Facebook. Of course, the spam messages were not sent by Facebook and the sender had no connection with the social networking site. However, email systems were not originally designed to verify the senders email address.
The good news is that email providers can use the DomainKeys Identified Mail (DKIM) standard to verify which organization actually sent a particular email. For example, in 2008 Google announced it would use DKIM to filter phishing mail that claimed to be from PayPal and eBay.
Brad Taylor, Google software engineer, said, “[DKIM] is a key tool we use to keep spam out of Gmail inboxes. But [DKIM] can only be effective when high volume senders consistently use [it] to sign their mail.”
So Google and other mail providers can only use DKIM to filter spam from domains that consistently use DKIM when sending mail.
Google does not currently apply the DKIM check to mail that claims to be from Facebook, but it seems Facebook uses DKIM on all its outgoing mail so mail providers could apply DKIM checks to Facebook mail if enough customers requested it.
In our lab tests we configured our spam filter to reject mail from Facebook if it failed the DKIM check. The result was that only genuine Facebook messages were delivered to our inbox. If only all mail systems were made that way.