In
<0AEB18845270404F88B2503180D4586908FD4753(_at_)DEN-EXM-01(_dot_)corp(_dot_)ebay(_dot_)com>
"Edberg, Jeremy" <jedberg(_at_)ebay(_dot_)com> writes:
Another related attack that I did not see mentioned in the threat
analysis is what we call the "pretty from" attack. Most popular email
clients display the arbitrary text in the From header as the display
name, if there is one. For example, if the from header were 'From
"aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', the client
would show
"aw-confirm(_at_)ebay(_dot_)com" as the from address.
A variation on this is:
From: "aw-confirm(_at_)ebay(_dot_)com" <badguy(_at_)badguy(_dot_)com>', " On
Behalf of " <aw-confirm(_at_)ebay(_dot_)com>
DKIM (like SenderID) only validates the first email address on the
From: line. The rest of the From: line can be used to help confuse
the situation. Of course, the bad actor won't pick such an obvious
name as "badguy(_at_)badguy(_dot_)com".
Stopping phishing is a hard problem. I know of no email
authentication system that I think can really do a very good job of
even slowing it down. This is really something that MUAs will have to
deal with, and any of the email authentication systems can be used to
help out MUAs in this area.
-wayne
_______________________________________________
ietf-dkim mailing list
http://dkim.org