I realize concern around this topic has been raised multiple times (Dave
Crocker, Doug Otis, Chris Haynes, etc...) but I still can't help feel we
are under-estimating the seriousness of this issue. If I missed the
posting where everybody agreed on the solution (entirely possible)
please point me to it. :)
I expect it will take years before all MUAs are updated (and widely
deployed) to display the PRA, which I do not think is an acceptable
timeframe to put a serious dent into phishing attacks.
For completeness, here is another example of the concern:
MAIL FROM:<> // don't care
RCPT TO:<valid-recipient(_at_)example(_dot_)com>
DATA
Subject: update your account info
Resent-From: JoePhisher(_at_)phishingScam(_dot_)com // valid domain
authenticated by MARID
...
From: account-services(_at_)yourbank(_dot_)com // Spoofed domain,
displayed by the MUA
To: valid-recipient(_at_)example(_dot_)com // bummer for you
...
Are we really going to RFC with this issue left open?
If nothing else, I at least want to add my vote to more thought being
put into this topic.
Regards,
Nate