On Sun, Jun 7, 2020 at 11:04 PM Douglas E. Foster < [email protected]> wrote:
> Stan Kalisch asks: And you propose the average user can understand, much > less take the time to understand, the substance? > > Yes. I believe users are worried about spam, and want to make > intelligent decisions about whether or not email can be trusted. > Unfortunately, our present software denies them access to the available > information needed to make intelligent decisions. > A study presented some years ago now, I think back when DKIM was young, (if I can find a citation, I will send it along) found that a statistically significant -- it was more like 18% -- portion of their test subjects would willingly click on links found in their spam folders if the email found there looked legitimate. That's right, they weren't just clicking links in their inboxes, they were clicking links in a partition of their inbox expressly created, and named, to store stuff the receiving system thought was probably dangerous. The theory, as I recall, was that they were worried they were missing something important. Who were these users? As I recall, the study was run by a collaboration of banks attempting to ascertain the gullibility of their typical customers. That seems to be data antithetical to the notion that users are universally worried about spam and want to make intelligent decisions. Moreover, these particular users were presented with information clearly marking these messages as possibly dangerous, insofar as they had to click through to their spam folders first. They did it anyway. Dave Crocker also observes about end-user signaling failures: It's > not that it 'seems to be'. It isn't nearly that soft. It is that there > have been multiple efforts over the years and none has demonstrated > efficacy. > > Then lets restate that assertion in all its ugly elitism, and put it > into an RFC: > > Incontrovertible research shows that humans will always act on malicious > email, and cannot be taught to do otherwise. Organizations should deploy > email if and only if they have automated tools which provide perfect > protection from unwanted email. End user training is useless. > > I have a higher opinion about my users than that. > I wonder on what basis. Given the contortions through which we went to produce even the vague text in Appendix D of RFC 6376, we didn't know then what would work. I don't think today is any different, or we'd be doing it already. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
