On Tue, 1 Mar 2011, MH Michael Hammer wrote: > The display name is problematic as Mr. Crocker has pointed out. One > solution to this which I have suggested in the past is to not display > the display name in the MUA if the email fails to authenticate.
That won't help. The attack mail will authenticate successfully -- the attack hurts because the identity the *computer* thinks it was expected to verify is not the identity the *human* thinks has been verified. Both the double-From: and the Full Name attack rely on that principle, but the double-From: is less of a threat. Since double-From: is based on a protocol violation with no history of accidental use, it can be blocked with no false positives. (Also, there's a half a chance the MUA will display the From: the attacker intended only for the validator, to the human.) To fix this in the MUA, I'd have it strip the Full Name from *all* messages, then re-insert the Full Name as listed in the user's address book if there is any match against the real address. ---- Michael Deutschmann <[email protected]> _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
