spf-discuss
[Top] [All Lists]

Re: A hole in planned phishing-prevention?

2004-06-03 14:47:51
On Thu, 3 Jun 2004, Dustin D. Trammell wrote:

On Thu, 2004-06-03 at 15:54, Ryan Malayter wrote:
Unless I'm missing something, a message with these properties:

   ENVELOPE-SENDER: someguy(_at_)phisher(_dot_)com  (no RFROM)

   RFC-2822 From: Operations(_at_)FirstNationalBank(_dot_)com
   RFC-2822 Sender: someguy(_at_)phisher(_dot_)com

will pass under the new SPF, assuming phisher.com has valid SPF records.
The responsible sender will be evaluated as phisher.com. The message
will display in many MUAs as something like:

   From: someguy(_at_)phisher(_dot_)com on behalf of
Operations(_at_)FirstNationalBank(_dot_)com

My mother could be fooled by this, thinking phisher.com was somehow
associated with her bank.

Especially if 'someguy(_at_)phisher(_dot_)com' looks legitimately associated 
to the
emulated entity, something like:

     From: dtrammell(_at_)FNB-CustomerService(_dot_)com on behalf of
Operations(_at_)FirstNationalBank(_dot_)com

Then the user should be fired with prejudice, and probably for gross 
misconduct.

S.

-- 
Shevek                                    http://www.anarres.org/
I am the Borg.                         http://www.gothnicity.org/