spf-discuss
[Top] [All Lists]

Re: A hole in planned phishing-prevention?

2004-06-04 12:20:14
On 4 Jun 2004, Daniel Quinlan wrote:

Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com> writes:

Yeah! customerservice(_at_)bigbank-phisher(_dot_)com sent me an email and 
bigbank-phisher.com says that it's actually an email from 
bigbank-phisher.com!  Nevermind the fact that bigbank-phisher.com is NOT
bigbank.com.

No, the problem is that you can give SPF-correct information in the SMTP
envelope, set one or two non-displayed headers (Sender, Resent-From,
etc.) to be correct, but then set From: to be bigbank.com.  Since From:
is not checked under the SPF/Caller-ID merge and since not all MUAs
display from, then it seems to be from bigbank.

This is absolutly true and I wondered about this myself and never got a 
good answer. Microsoft seems to insist that they will write MUA software 
that will show Sender or Resent-From header to user to let him beware that 
something maybe wrong. But I think that most users will still fall for the 
same phishing trap if they see:

From: security(_at_)citibank-corporate(_dot_)us on behalf of
 "City Bank Security Department" <security(_at_)citybank(_dot_)com>

Sure, you can compare headers, or rely on improved MUAs, but most people
still think the "From:" is the person who sent it and they're going to
believe it even more after all the hoopla we're hoping to generate.

Yep. The "hoopla" better be worth it for more then just single-header 
security that is actually not even the one user will always see. And I'm 
not saying we should stop, the kind of momentum that exists right now is 
really rare chance to make some serious changes in the email infrastructure 
but I think if we're going to ask email server operators to update their 
software to be able to handle new security model, we better be doing more 
then just what SPF does right now. The notion that we can get users & mail 
administrators to do several comprehensive updates (likely over next two 
years) may not work very well if the first one that we got so much going for
does not even partially achieve the results people are expecting from it.

-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net