This has led people to suggest that we need to do something about validating
personal
name information in From: header fields. This, along with all the various
schemes that
are being proposed to work around the myriad issues with third party message
handling,
increasingly looks to me like a tottering edifice built of hack piled on hack
piled on hack.
Of course people will suggest that we validate the personal name information.
Because at the end of the day, spoofing is trying to make me believe that the
message comes from "my friend Viktor" when in fact it does not. We may have
perfect SPF, DKIM, DMARC and what have you, and still get spoofed messages
"From: Viktor Dukhovni <viktor(_at_)dukhovni(_dot_)throwawaydomain(_dot_)biz>."
At that point, either people pay attention to domain names or they don't. If
they do, presenting "from" and "sender" like Outlook does works fine. If they
don't, as in the "punt security policy to Grandma" argument, then we need the
system to validate information passed to the user. Maybe do some automated
check against the address book, or maybe rely on PGP or S-MIME. But we
definitely need to ask the question as "what's the best way to stop phishing
attempts," not just "how to ensure that SMTP works as specified."
-- Christian Huitema