On Thursday, December 10, 2015 11:36 AM, Chris Lewis wrote: > On 12/10/2015 01:48 PM, Christian Huitema wrote: > > > I am not sure I understand correctly, but it seems the reference to > > phishing is in the context of "impersonated users." Bob receives a > > mail that appears to come from "[email protected]." Everything > > matches, SPF, DKIM, DMARC. So Bob actually believes the mail comes from > Alice, and opens the attachment. > > But the mail actually comes from the evil Eve, who somehow managed to > > acquire Alice's password, and submitted the phishing message by > > authenticating as Alice to Alice's MSA. In that context, if Bob's UA > > notices that the submission IP comes from Upper Nowheristan instead of > > the usual Mirrorland, Bob's UA could pop up a warning, or block the > > message. Is that a correct summary of the concern? > > If all of these in place world wide (ha!), it would still only apply to a small > percentage (generally <10%) of the phishing that tries to impersonate the > email address completely. Most phishes don't impersonate email addresses, > just the "friendly" part of the From: line if that.
Yes of course. There are many types of attacks, the "mass market" scammers use crude techniques, and they probably account for the biggest volumes. But these are not the only ones that we care about. The more sophisticated "spear phishing" attacks commonly include detailed reconnaissance of the target and their relations, precisely of the type "hacking Alice to get to Bob." I think that's what you refer to when you mention "CEO phishing." We could argue that checking the origin IP is only one of the many possible ways to harden mail systems against phishing, and that alternatives could be just as efficient. Maybe. But first, I would like to be sure that we understand the scenarios in which the origin IP address is used to prevent phishing. -- Christian Huitema _______________________________________________ Shutup mailing list [email protected] https://www.ietf.org/mailman/listinfo/shutup
