On Dec 11, 2014, at 2:51 PM, Terry Zink <[email protected]> wrote:
> [Apologies for the cross-post from the Antiphishing Working Group discussion > alias, but there may be people on this list that are not on that list.] > > [[ I understand that this is currently outside the current focus of the Dmarc > Working Group; we can shut this discussion down if the list owners feel it is > not appropriate at the moment ]] > > This is something we at Microsoft have been thinking about internally, and I > want to solicit feedback from others in the industry. > > How do we combat Display From (Friendly From) attacks? For example: > > From: Woodgrove Bank <[email protected]> > > DMARC specifically says it doesn’t address this. That’s fine; so, how do we > address it? Here are some ideas off the top of my head: > > 1. Mail clients should show the full 5322.From: address. The idea is > that users will see something is off. The drawback is that it relies on users > to notice something is wrong and take action. Also it requires them to know what "good" domains are, and bad. And deal with homographs, and so on. (And limited screen space on mobile clients is going to argue against that for many users and implementors). > > 2. Keep a database of Display From’s of valuable brands, and figure out > that “Woodgrove Bank” is a valuable brand on the list. Determine who all of > Woodgrove Bank’s associated 5322.From addresses and authenticated users are > and compare to the received 5322.From. If the actual 5322.From doesn’t match > a known 5322.From, take action (DMARC policy? SPF policy?). I call this > DMARC++. Does that suggest that brand management people should be able to ban other people's names? Unlike domain names that's not a single name space nor is there any universal legal definition of ownership; the operational issues there seems as much of a problem as the moral ones. (The Atkins diet people have sued people for using their surname, and there are several cases of a burger joint being sued for being owned by a Hamish MacDonald...) Especially when you then start going "Well ... 'Bank of Woodgrove' would also sound like us. Also 'Wildgrove Bank'. Also ... 'Woodgrove Building Society'. Also 'Wildgrove Auto Loans'. Also 'Windgrove Used Cars' ..." > > 3. Rely on traditional spam filter techniques since this is no > different than any other spam or phish. The drawback here is we know there > are major gaps that spammers and phishers exploit. > > 4. Anything else? 5. Third party whitelists of domains, maintained by authoritative group controlling a business vertical (e.g. the FDIC for US financial institutions), that are used to treat validly DKIM (and/or something more robust than DKIM) signed mail on that any of those whitelists specially, so as to do something visually distinctive in the MUA for it. That's not quite as simple as the browser green bar - because webmail MUAs - but would probably be as successful with user education and awareness. 6. It's not, in itself, an attack of any sort. There's no need to do anything about it, let alone something that'll have negative impact on users of email globally in order to help a small groups of major brand owners. Concentrate on actual attack vectors, especially when there are significantly more effective things you could do to actually combat phishing (even if they don't pander to the brand protection people to the same degree). Cheers, Steve _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
