On Jul 15, 2014, at 5:20 PM, Viktor Dukhovni
<ietf-dane(_at_)dukhovni(_dot_)org> wrote:
On Tue, Jul 15, 2014 at 01:44:56PM -0700, Dave Crocker wrote:
Incurring the considerable expense, in people and opportunity cost, by
pursuing a global standards effort that proves ineffective is a
particularly pernicious path, especially with respect to a
security-related topic like phishing.
Is there quantitative evidence that preventing spoofing of the
"From" address reduces the efficacy of phishing? My guess is that
any such effect is rather marginal, and that phishers succeed or
fail based on the content of the pitch, rather than "metadata".
Dear Viktor,
One of the major proponents for DMARC, in an industry closed meeting, made an
impressive presentation showing their costs related to phishing. The major
component was customer attrition following each extensive phishing campaign.
DMARC started out as private agreements with large providers. It was felt
publishing these requests in DNS would provide better coverage and it has.
This was never about reducing losses due to fraud, it was about a pragmatic
effort to protect their customer base. People want to be able to trust the
From header field, and would walk away from email related services when they
couldn't. The PRA algorithm promoted by Sender-ID never effectively mitigated
phishing. With DMARC and simply sorting messages based on trusted From header
fields offered customers a tolerable solution.
DMARC is a good solution for domains only sending transactional messages by
combining both SPF and DKIM into a scheme that offers reliable delivery while
also ensuring rejection of invalid sources. This scheme falls apart when
applied against domains handling normal email. Even so, some domains have seen
their user accounts repeatedly compromised and were hoping to leverage DMARC's
benefit of being relied upon to reject invalid sources.
Unfortunately, such an effort must rely on feedback offered to DMARC domains
otherwise its rejections become too disruptive to be relied on. Only the DMARC
domain is able to share this information with recipients. In some cases, this
involves third-party back-office services that offer source alignment with the
Sender header field. Even in this case, it is still the From header field the
recipient will recognize and wish to trust.
The TPA-Label scheme is able to convey informally federated domains as
determined by feedback given to the DMARC domain. TPA-Label is also able to
indicate alignment requirements for Sender and List-ID to give recipients
trustworthy sorting options.
Regards,
Douglas Otis