-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In message <6E17FD4E-C3D7-4703-8E5C-B0364D011418(_at_)ef1p(_dot_)com>, Kaspar
Etter
<kaspar=40ef1p(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org> writes
Other efforts to curb phishing, such as
BIMI,
You will not find any claim on the BIMI website that says that it will
curb phishing (and, in my view, with good reason)
also require domain authentication. (BIMI also addresses homograph attacks
with verified mark certificates.)
It has always been unclear how similar looking trademarks (indeed
identical ones, since trademarks are only unique within a single
economic sector within a single jurisdiction) will be handled by BIMI
... but while only a small number of brands, mainly from one country,
are the only users of the mechanism this is not an issue that they have
to resolve so far
One of the nice things about DMARC is that it makes domain authentication
opt-in
for those who want this (even if the reason for this feature is mainly
backward
compatibility). I’m honestly surprised to see that almost no one here uses
DMARC
with a policy of reject or quarantine, but I don’t mind this because it’s your
call.
you'd be even more surprised if you started to investigate how few
mailbox providers honoured a reject request
On a different note, the problem with malicious display names is much worse
than
many people are aware: Most of the mail clients which display only the display
name do so even if the display name is itself an email address. Emails from
`"bob(_at_)example(_dot_)com" <alice(_at_)example(_dot_)org>` are displayed
identically to emails from
`bob(_at_)example(_dot_)com <mailto:bob(_at_)example(_dot_)com>`. See
https://explained-from-first-
principles.com/email/#malicious-display-names <https://explained-from-first-
principles.com/email/#malicious-display-names> for more
context.________________
I think most people who have thought about how to tackle the issue of
misleading display names are well aware of this relatively simple issue,
it's all the other complexity that has hindered attempts to tackle the
issue...
... and of course the real issue with phishing is that systems are
(still being) built with the assumption that end users will be able to
reliably identify legitimate communications and disregard the messages
from the bad guys. Since that will never be true, any system which
relies on the assumption will fail. viz: trying to help the user make
better decisions is merely a sticking plaster
- --
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBYLCpYd2nQQHFxEViEQJXJACg0XN1HvJQvWSc34wXqUYiDq09vDUAoNXS
ALFERQqFgOmlZzeNUJh3cfas
=0PT6
-----END PGP SIGNATURE-----
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp