> -----Original Message----- > From: dmarc <[email protected]> On Behalf Of John Levine > Sent: 25 June 2020 20:13 > To: [email protected] > Subject: Re: [dmarc-ietf] What if... Sender: > > In article > <[email protected] > .PROD.OUTLOOK.COM>, > David I <[email protected]> wrote: > >Without forcing alignment to 'From', an attacker can set their own > >'Sender', set a 'From' they're not entitled to use that's of a trusted > >contact, and the DMARC associated with the abused domain in the 'From' > has no effect and can't be used for filtering. So while you could so a similar > filter on Sender, it wouldn't be as useful, and would provide less security > benefit. > > It sounds like you're making the common mistake of confusing "DMARC > aligned" with "not phish" or "not spam". What would you do with a DMARC > aligned message with this From header? > > From: Security Alert <[email protected]> > > (The correct answer is bury it deep in the phish tank. Crooks can do DMARC > alignment, too.)
Indeed, I would do that. I would also be grateful for the DMARC policy on paypal.com for forcing the attacker to use a cousin domain that can be easily detected as not legitimate, raising the cost to the attacker, and make the filtering easier/more accurate. David This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]. All material is UK Crown Copyright © _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
