Comments inline. > -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of Michael Deutschmann > Sent: Wednesday, March 02, 2011 3:20 AM > To: [email protected] > Subject: Re: [ietf-dkim] Full name problem > > On Tue, 1 Mar 2011, MH Michael Hammer wrote: > > The display name is problematic as Mr. Crocker has pointed out. One > > solution to this which I have suggested in the past is to not display > > the display name in the MUA if the email fails to authenticate. > > That won't help. The attack mail will authenticate successfully -- the > attack hurts because the identity the *computer* thinks it was expected > to > verify is not the identity the *human* thinks has been verified. >
It is admittedly an imperfect solution at best for the case you describe, but it provides a linkage to the authenticated email address if the attacker is DKIM signing. What it does accomplish is to drive attackers to self authenticate. While some phishing emails will get through initially, the signing entity should end up with a poor/negative reputation. Attackers might use "throw away" signing entities but this might provide actionable (reputation) indicators as well. This is of course somewhat speculative as we have yet to see (publicly disclosed if they exist) significant reputation systems built specifically around DKIM signing. > Both the double-From: and the Full Name attack rely on that principle, > but the double-From: is less of a threat. Since double-From: is based > on > a protocol violation with no history of accidental use, it can be > blocked > with no false positives. (Also, there's a half a chance the MUA will > display the From: the attacker intended only for the validator, to the > human. > > > To fix this in the MUA, I'd have it strip the Full Name from *all* > messages, then re-insert the Full Name as listed in the user's address > book if there is any match against the real address. > This relies on the user having the entries in the address book. As many marketers would tell you, easier said than done when it comes to corporate/organizational mail. I can't speak to mail from individuals. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
