spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: A hole in planned phishing-prevention?

2004-06-03 14:25:03
from [Greg Connor] [Permanent Link]
Ultimately we want the MUA program to display some details about what was checked, and maybe an indication of whether it is end-to-end verified or just the last hop.
One way to do this might be to put "Confirmed" or a green check mark next to the identity that we actually checked (not always next to the From:)
If we want a temporary solution that works while the MUAs are not quite compliant, we could rewrite the display-name part of the from to be From: Customer Service (unverified) support(_at_)ebay(_dot_)com or something like that... 

--Ryan Malayter <rmalayter(_at_)bai(_dot_)org> wrote:


I just thought of something...

If we're going to allow the new SPF to fall back to using RFC-2822
headers to figure out responsible sender, we have to be careful.

Unless I'm missing something, a message with these properties:

   ENVELOPE-SENDER: someguy(_at_)phisher(_dot_)com  (no RFROM)

   RFC-2822 From: Operations(_at_)FirstNationalBank(_dot_)com
   RFC-2822 Sender: someguy(_at_)phisher(_dot_)com

will pass under the new SPF, assuming phisher.com has valid SPF records.
The responsible sender will be evaluated as phisher.com. The message
will display in many MUAs as something like:

   From: someguy(_at_)phisher(_dot_)com on behalf of
Operations(_at_)FirstNationalBank(_dot_)com

My mother could be fooled by this, thinking phisher.com was somehow
associated with her bank.

Is there a way to prevent this by changing the logic we use to determine
responsible sender in the new SPF? That is, without changing
widely-deployed MUA behavior? But still allowing for legitimate
send-on-behalf type messages?

Maybe we re-write the RFC-2822 From: header in some way to prevent this?

Regards,
        Ryan

-------
Sender Policy Framework: http://spf.pobox.com/

The Inbox Event at the Marriott San Jose features SPF.
   June 2: Email Accountability Symposium (free)
   June 3: SPF Strategy BOF (free) where industry will coordinate
deployment timeline    Times: 6:30pm - 8pm, both sessions.
http://www.inboxevent.com/

Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,  please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com




--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: A hole in planned phishing-prevention?, Dustin D. Trammell
Next by Date:  Re: A hole in planned phishing-prevention?, Daniel Quinlan
Previous by Thread:  Re: A hole in planned phishing-prevention?, Jeffrey Goldberg
Next by Thread:  Re: A hole in planned phishing-prevention?, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]