[dmarc-discuss] DMARC thwarted already?

Mason Schmitt mason at schmitt.ca
Thu Jun 5 11:54:22 PDT 2014


> On Jun 5, 2014, at 9:26 PM, Al Iverson via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
> 
> And also, do recognize that DMARC is only one part of the badness
> prevention equation, it doesn't cover ever single eventuality. It
> locks one door, not all doors, no? I'd be curious about that "left off
> the domain" one; if an ISP were already rejecting mail from domains
> that don't resolve, I doubt it would have been delivered.

When I was managing a mail server, 3 years ago, I saw many phishing emails where the display name was designed to fool our customers into thinking the email was from us.  The email address part of the From: was from valid domains that would often pass SPF and various other checks and would thus not be rejected by our system based on domain validity. We did however create custom heiristics to catch these emails and hold them for review, so they weren't delivered to our customers, but this was of course not a general solution to the problem. 

As has been pointed out in this thread, this issue is not something DMARC was designed to solve and is really an MUA issue. However, if we look at these sorts of emails, from the user's point of view, the fact the MUA makes it appear the email is from a known aol sender, is just as bad as if the phish were done using the full aol.com domain.

I didn't have a general purpose solution to the problem 3 years ago and I still can't think of one that doesn't involve the MUAs changing their behavior. 

--
Mason


More information about the dmarc-discuss mailing list