On Wed, Jan 30, 2013 at 10:40 AM, Chris Lewis
<clewis+ietf(_at_)mustelids(_dot_)ca> wrote:
On 13-01-30 09:27 AM, Dotzero wrote:
I think it depends on what you mean by "relatively little effect".
From my perspective - given the current statof adoption - it may not
have an effect on the overall ecosystem but it is certainly pushing
the bad guys from abusing (sending) domains that are implementing
strong email auth efforts to ones that are not.
If that were true, I wouldn't be seeing millions of paypal, linkedin,
et. al. impersonations a day. But I do.
No difference in the nature/behavior in the spamming? I can't speak
for other brands in terms of the effect of email
authentication/validation but I have seen it make a difference for our
brands/domains. I know anecdotally that other brands have said the
same. This is why I wrote that "it depends on what you mean by
relatively little effect". I think we all know that spam/phishing is
all about the social engineer. That means there will be some amount of
friction pushing bad folks away from high value targets they wish to
leverage. When I've looked in the past I've seen differentiation in
abuse comparing financials that are aggressive in fighting abuse vs
those that are less clueful.
Validation is so irrelevant that the spammers impersonate sites when
it's clearly unnecessary. They use their facebook impersonation
templates to send out pill spam for crissakes. If validation was making
a difference, the ROI would suffer. I can only guess it isn't.
The reality is that you don't have to forge the From/sender/helo et. al.
to successfully impersonate any domain. Especially with the mail
readers oh-so-carefully _not_ showing you the actual email address.
You are assuming that the place of email auth is at the MUA and let
the recipient figure it out. That IS an epic fail. And I agree with
you that showiing the display name and hiding the email address is
suboptimal.
It would be interesting to see (I don't have the data) if there is any
kind of shift from sending spam targeting accounts at mailbox
providers that validate to targeting (preferentially) accounts at
mailbox providers that don't.
Most spoofers are already bypassing validation. So why would it matter
to them whether the mailbox provider is validating or not?
So I take it you aren't a fan of email authentication at all. I think
we'll have to agree to disagree.
Mike
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg