On 12/27/2016 11:02 AM, Viktor Dukhovni wrote:
If "Sender + From" are displayed as in Outlook, then it becomes reasonable
to authenticate Sender when present, and not apply authentication policy
to "From", since the message is not in fact *from* the author. It is from
the sender, (purportedly) on behalf of the author.
It is rather implausible that phishers will want to present their messages
this way (on behalf of), most users don't receive such email, and it will
stand out as unexpected. And users who still believe such messages to be
legitimately *from* the purported author and fall victim to scams will fall
for a myriad other misdirections.
All of the above is language cast in terms of end-users. In the absence
of extremely careful and constrained and informed reference, discussion
of phishing needs to completely avoid references to end-users.
Really. Just stop. Everyone.
End-users are essentially irrelevant to the formalized detection and
handling of phishing.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net