[Apologies for the cross-post from the Antiphishing Working Group discussion alias, but there may be people on this list that are not on that list.]
[[ I understand that this is currently outside the current focus of the Dmarc Working Group; we can shut this discussion down if the list owners feel it is not appropriate at the moment ]] This is something we at Microsoft have been thinking about internally, and I want to solicit feedback from others in the industry. How do we combat Display From (Friendly From) attacks? For example: From: Woodgrove Bank <[email protected]<mailto:[email protected]>> DMARC specifically says it doesn't address this. That's fine; so, how do we address it? Here are some ideas off the top of my head: 1. Mail clients should show the full 5322.From: address. The idea is that users will see something is off. The drawback is that it relies on users to notice something is wrong and take action. 2. Keep a database of Display From's of valuable brands, and figure out that "Woodgrove Bank" is a valuable brand on the list. Determine who all of Woodgrove Bank's associated 5322.From addresses and authenticated users are and compare to the received 5322.From. If the actual 5322.From doesn't match a known 5322.From, take action (DMARC policy? SPF policy?). I call this DMARC++. 3. Rely on traditional spam filter techniques since this is no different than any other spam or phish. The drawback here is we know there are major gaps that spammers and phishers exploit. 4. Anything else? Thanks. -- Terry
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
