> - An attacker sends 10 messages that maliciously impersonates a > big bank. With help from DMARC p=reject, the evaluator blocks > them all. The attacker follows up with 10 messages that > maliciously impersonate a major university. The stupid > evaluator says, "p=none means no problem here". The message is > accepted and the user is harmed because the evaluator learned > nothing from blocking the successful attack.
This is a useful point, and I think we should do something with it. I don't think it belongs in this document -- the DMARC protocol -- but I *do* think it's in scope for this working group and would be good to cover in a BCP that talks about how to use DMARC as *part* of an overall antispam/antiphishing/antispoofing system. Specifically, use the results you get from blocking with DMARC -- with sensible analysis to assure yourself that this is mail that *should* be blocked -- to train the system to better detect similar junk that doesn't have DMARC to help it. Barry _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
