This issue poses a particular problem if you have told users that spoofed email from a given domain will not even appear in their spam folder.
http://gmailblog.blogspot.com/2009/07/new-in-labs-super-trustworthy-anti.html, which is cited on dmarc.org/faq.html, says Last year, we started taking extra steps to protect you from fake eBay and PayPal emails <http://gmailblog.blogspot.com/2008/07/fighting-phishing-with-ebay-and-paypal.html>, requiring that any email claiming to come from one of eBay's or PayPal's domains actually comes from them. We do that by looking at the "From" header, and when it says "ebay.com" for example, it means it really did come from ebay.com. Anything else is rejected; _it won't even appear in your spam folder because Gmail won't accept it_. [emphasis added] I just tested, and indeed I can get my Gmail account to accept a spoofed email that is presumably from [email protected] simply by omitting RFC5322.From. Mason, unless you've already done so or wish to do so yourself, I've already recorded my SMTP session and plan to submit it as a vulnerability report to Gmail, crediting you as the one who pointed it out, to be sure that they are tracking with the fact that this violates their stated "no spoofed messages from Paypal even in your spam folder" policy. -Zach
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
