On Tue, Dec 08, 2020 at 10:58:22AM +0000, Paul Smith via mailop wrote: > "Typographically similar" is not "identical". Yes, many people will be > fooled by "typographically similar", but not everyone. SPF (and DKIM) allow > you to verify to some level of certainty that the sender is who they say > they are if you want to try. Without them, you have no chance.
First, "similar" is more than enough to fool almost everyone. Presume that example.com is, let's say, a financial institution. If example.TLD (where TLD is any of the myriad new ones) isn't available because example.com decided to get there first, then example.com.TLD or example.comm.TLD will probably suffice. (I know, because I've run the experiments while doing penetration tests. BTW, this works a lot of the time even when the targets are people who work for example.com and should ostensibly know better. Guess what? They don't.) Second, suppose that you can verify the sender. So what? Even if this verification is completely reliable -- and it's not -- it doesn't tell you what their intentions are. Or will be tomorrow. [1] Third, neither SPF nor DMARC nor anything else can be relied on if the email account or email host is compromised -- and we see instances of that constantly. In other words, if financialoffi...@example.com has been compromised then the new owner of that email account can send anything they want and it will be dutifully "verified" by anyone naive and foolish enough to believe SPF et.al. provide verification. (Should I remind everyone that *every* Yahoo account was compromised and that *every* message those accounts sent was "verified"? And this is hardly an isolated case.) SPF et.al. are failed attempts to wallpaper over a massive underlying security problem that has gotten steadily worse for most of two decades. They pretend to provide "verification" in an environment with hundreds of millions of bots [2], mass compromises of individual email accounts, and a steady stream of security breaches of mail servers of all shapes and sizes. It's a pretend game. It doesn't actually address the root cause(s). And that's because fooling around with SPF et.al. is much easier, much simpler, much cheaper than actually tackling the underlying problems. ---rsk [1] Everyone should know by now that even if a network/host/mail server/ email account is benign today, that in no way ensures that it will be benign tomorrow. [2] Probably more like a billion by now, but let's gloss over that and note that anyone who controls a bot controls all email accounts used/stored by the bot's previous owner. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
