On 12/8/20 5:13 AM, Tim Bray via mailop wrote:
Hi,
Hi,
I'm wondering if it might be a good idea to strip all sender names from emails coming into our corporate email system. To avoid a false name being used by a scammer.So rewrite a header like `From: Bob Smith <[email protected]>` to `From: [email protected]`Because the domain part is checked by SPF and DKIM. The but name (Bob Smith) is not.
I *REALLY* dislike the idea. I think it is fundamentally flawed, in a mostly non-technical way.
The idea that there is only one "Tim Bray" or "Grant Taylor" in the world seems ... silly to me. Then there are the even more common names like "John Doe" / "Jane Doe".
So the idea that there is only one "Bob Smith" et al. is a flawed concept. As is assigning any security or authenticity to the name.
If I stripped the name, they would have seen [email protected] and hopefully noticed sooner.Thoughts or ideas?
This one of the reasons why I hate the idea of not showing the full email address in email clients.
To me, the idea of assigning any value to "Tim Bray" / "Grant Taylor" / "Darren Smith" is as ... silly ... as stating that websites that use HTTPS as opposed to HTTP are safe to visit. Because no criminals will be named "Grant Taylor" or use HTTPS.
*IF* I were to do something like this, I would purposely alter the name to be something decidedly atypical in the headers and then rely on a company wide address book to show the trusted name. E.g. "Darren Smith" becomes "EXTERNAL - Do NOT Trust - Darren Smith". Then known correspondents, e.g. Tim Bray, would have address book entries with display name set to "Tim Bray@". With the "@" (or some other indicator) used to make things look nicer in the email client. But even this has non-trivial drawbacks and can break a lot of things.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
