SPF checks IPs against the From: domain … which may fail for good reasons or bad, and in both ways. If the criteria is too lax, bad actors can take advantage.
DKIM can also fail, since Bad Actors love to set up their domains with valid DKIM info. DMARC puts it all together. But ultimately, with the flagrant abuse of what we call the, “Friendly From” … ripping it out entirely does have a certain appeal, especially as it’s almost impossible on devices such as smartphones, to get at that actual information for validation in the first place. The phone number metaphor is a better fit. I set up this phone number in my contacts as belonging to my friend, “Joe Smith”, and presupposing the number isn’t forged, they get to ring my phone, and I know who it is just by looking at the caller-ID. Friendly From is a False Friend. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Open a ticket for Hotmail<http://go.microsoft.com/fwlink/?LinkID=614866> ? From: mailop <mailop-boun...@mailop.org> On Behalf Of Scott Mutter via mailop Sent: Tuesday, December 8, 2020 9:27 AM To: mailop@mailop.org Subject: [EXTERNAL] Re: [mailop] scam prevention Good idea or not, that's a debate. But if it did happen - be ready for the chorus of... "But it used to show the person's name, why did it change? Can you change it back?" People don't respond well to change. Even if it's for the betterment of humankind, that's not really comprehensible. On Tue, Dec 8, 2020 at 6:13 AM Tim Bray via mailop <mailop@mailop.org<mailto:mailop@mailop.org>> wrote: Hi, I'm wondering if it might be a good idea to strip all sender names from emails coming into our corporate email system. To avoid a false name being used by a scammer. So rewrite a header like `From: Bob Smith <b...@example.org<mailto:b...@example.org>>` to `From: b...@example.org<mailto:b...@example.org>` Because the domain part is checked by SPF and DKIM. The but name (Bob Smith) is not. Background: Some people at work fell for a scam email where the From line was From: =?UTF-8?Q?Darren_Smith=C2=A0?= <mablecri...@gmail.com<mailto:mablecri...@gmail.com>> That's a Darren_Smith with a non breaking space on the end. mablecri...@gmail.com<mailto:mablecri...@gmail.com> is the real scammer address. Darren Smith (not his real name) is the Managing director of their employer. And they just trusted the name, and didn't check the domain. To the more experienced members of staff it was so blatantly a scam they just deleted it. To the junior members, they rushed to the shops for amazon and google vouchers thinking they were on a special mission for the big boss. £1300 lost, some maybe recovered. If I stripped the name, they would have seen mablecri...@gmail.com<mailto:mablecri...@gmail.com> and hopefully noticed sooner. Thoughts or ideas? -- Tim Bray Huddersfield, GB _______________________________________________ mailop mailing list mailop@mailop.org<mailto:mailop@mailop.org> https://list.mailop.org/listinfo/mailop<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist.mailop.org%2Flistinfo%2Fmailop&data=04%7C01%7Cmichael.wise%40microsoft.com%7Cb676c364a4f7423148a808d89b9eea38%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637430454123231924%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=d6sHas%2Fg9bXQkYyvBFcD94u%2B92QDVab2CAGj3R9bskM%3D&reserved=0>
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop