[dmarc-discuss] How does *this* mailing list interact with dmarc?

Michael Adkins madkins at fb.com
Wed Jun 20 11:40:41 PDT 2012



On 6/20/12 10:50 AM, "Al Iverson" <aiverson at spamresource.com> wrote:

>That potentially leaves a hole in an anti-phishing/protection
>strategy, though, doesn't it?
>If you put a DMARC policy on yahoo.com but not on yahoo-inc.com, it
>feels like that the bad guys will just phish with the latter domain
>instead of the former, leaving a protection gap. I'd love to hear your
>take on why this is or isn't a concern and how people ought to handle
>this potential case.

They should make an informed decision based on their reports.

No one should be under the assumption that DMARC's goal is for every
domain to have a reject policy.  DMARC's goal is for every domain owner to
receive reports and make informed decisions.

If the best DMARC can offer a domain that has innocent alignment failures
and malicious spoofing (for now) is detailed reporting of where the
malicious activity is coming from and what the problematic mail pathways
are, that's still incredibly valuable data for other anti-abuse responses
or troubleshooting.

The problem you are describing is basically the cousin domain problem.
Whether the cousin domain belongs to the abused organization or not is
kind of irrelevant.

I've seen phishers move away from domain spoofing to both cousin domains
and display name abuse in the face of DMARC.  Of those two, cousin domains
are on the decline.  Sending from any random domain and setting the
display name field to something convincing is much easier, doesn't provide
the domain owner with reporting, and doesn't involve registering a domain
and leaving a paper trail.




More information about the dmarc-discuss mailing list