ietf
[Top] [All Lists]

Re: dmarc damage, was gmail users read on... [bozo subtopic]

2014-09-13 15:09:27


--On Saturday, September 13, 2014 19:14 +0000 John Levine
<johnl(_at_)taugh(_dot_)com> wrote:

...
DMARC is only useful because many crooks are remarkably lazy or
stupid.  I've seen numbers showing that it blocks vast amounts
of spam with From: addresses like <security(_at_)paypal(_dot_)com> which
means that a lot of crooks just uses the exact address they're
attacking But it's not effective against stuff like this,
which they also use:

  From: <security(_at_)paypaI(_dot_)com>
  From: security at paypal.com <boris(_at_)rbn(_dot_)ru>
...

I would have added that it provides no protection against 
    From: <security@pаypаl.com>
(the oft-cited "Cyrillic 'a'" example) either.

I think we are largely in agreement, but I think there is a
reasonable hypothesis that would substitute "lazy and
economically rational" for "remarkably lazy or stupid".  No
matter how vast the number of messages that are intercepted, the
crooks have  no incentive to adopt smarter procedures until the
number and pattern of messages intercepted hurt the bottom line.
Up to that point, they have multiple incentives to ignore DMARC
and let it trap whatever it traps.  Doing so forces us to expend
resources to adjust to a technique they know how to (mostly)
defeat and thereby lowers, however slightly, the available
resources for dealing with the next attack.  It leaves us
guessing as to what new attacks will be mounted, forcing us to
either wait and then react or to waste resources on approaches
they are unlikely to try (or will avoid trying once we've spent
the resources and deployed the solutions.

As others have pointed out, spending our resources making the
bad guys smarter is rarely a good tradeoff.  DMARC does not seem
to be a good candidate for a long-term exception.

For that second one, remember that a lot of MUAs only show the
comment on the From: line, not the address.

I've often wondered how many successful phishing attacks we
could stop by issuing a "best practices" statement pointing out
the risks and difficulties associated with that
address-suppression practice.   I don't know that MUA
authors/maintainers would pay any attention to us, but, if we
hypothesize that they would not, it gets much harder to believe
that plans that require MUA changes to deal with DMARC
countermeasures would be effective.

best,
    john




<Prev in Thread] Current Thread [Next in Thread>