ietf
[Top] [All Lists]

Re: Google threatens to break Gmail

2015-10-24 14:50:06
On 25/10/2015 02:33, Rich Kulawiec wrote:
On Fri, Oct 23, 2015 at 08:36:31PM +0200, Martin Rex wrote:
I do not see any increased potential for phishing
Rather the opposite -- DMARC could be abused to give users a false
sense of security and fall to the flawed assumption that it would
authenticate the EMail author (which it doesn't).

Just for fun, I looked at a small sample of spam: the most recent 24
messages that gmail itself tagged as junk.

No false positives.
4 tagged as DMARC pass.
5 tagged as DMARC fail (gmail does not currently obey p=discard)
15 with no DMARC status.

Which suggests that DMARC status is pretty much orthogonal to spam detection,
on this small sample.

   Brian


Precisely.  My spamtraps observe messages all day, every day that pass
whatever validation happens to be in play -- but are clearly forgeries.
And it's a VERY rare end user who is capable of making that same
determination.  Thus the warm fuzzies provided by mail clients that mark
messages as "validated" or "authenticated" or whatever term is used are
going to make these problems worse, not better.

Until the underlying security issues are fixed -- and I see absolutely
no signs that any of the 500-pound gorillas even *intend* to address
those at scale, let alone are actively engaged in doing so -- this (DMARC
and related) just wallpapers over the problem.

---rsk

.