ietf-smtp
[Top] [All Lists]

Re: [ietf-smtp] Email explained from first principles

2021-05-28 03:28:39
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <6E17FD4E-C3D7-4703-8E5C-B0364D011418(_at_)ef1p(_dot_)com>, Kaspar 
Etter
<kaspar=40ef1p(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org> writes

Other efforts to curb phishing, such as 
BIMI, 

You will not find any claim on the BIMI website that says that it will
curb phishing (and, in my view, with good reason)

also require domain authentication. (BIMI also addresses homograph attacks 
with verified mark certificates.)

It has always been unclear how similar looking trademarks (indeed
identical ones, since trademarks are only unique within a single
economic sector within a single jurisdiction) will be handled by BIMI

... but while only a small number of brands, mainly from one country,
are the only users of the mechanism this is not an issue that they have
to resolve so far

One of the nice things about DMARC is that it makes domain authentication 
opt-in 
for those who want this (even if the reason for this feature is mainly 
backward 
compatibility). I’m honestly surprised to see that almost no one here uses 
DMARC 
with a policy of reject or quarantine, but I don’t mind this because it’s your 
call.

you'd be even more surprised if you started to investigate how few
mailbox providers honoured a reject request

On a different note, the problem with malicious display names is much worse 
than 
many people are aware: Most of the mail clients which display only the display 
name do so even if the display name is itself an email address. Emails from 
`"bob(_at_)example(_dot_)com" <alice(_at_)example(_dot_)org>` are displayed 
identically to emails from 
`bob(_at_)example(_dot_)com <mailto:bob(_at_)example(_dot_)com>`. See 
https://explained-from-first-
principles.com/email/#malicious-display-names <https://explained-from-first-
principles.com/email/#malicious-display-names> for more 
context.________________

I think most people who have thought about how to tackle the issue of
misleading display names are well aware of this relatively simple issue,
it's all the other complexity that has hindered attempts to tackle the
issue...

... and of course the real issue with phishing is that systems are
(still being) built with the assumption that end users will be able to
reliably identify legitimate communications and disregard the messages
from the bad guys. Since that will never be true, any system which
relies on the assumption will fail.  viz: trying to help the user make
better decisions is merely a sticking plaster

- -- 
richard                                                   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBYLCpYd2nQQHFxEViEQJXJACg0XN1HvJQvWSc34wXqUYiDq09vDUAoNXS
ALFERQqFgOmlZzeNUJh3cfas
=0PT6
-----END PGP SIGNATURE-----

_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp

<Prev in Thread] Current Thread [Next in Thread>