[dmarc-discuss] DMARC thwarted already?

Franck Martin fmartin at linkedin.com
Thu Jun 5 12:21:23 PDT 2014

On Jun 5, 2014, at 11:54 AM, Mason Schmitt via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

>> On Jun 5, 2014, at 9:26 PM, Al Iverson via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
>> And also, do recognize that DMARC is only one part of the badness
>> prevention equation, it doesn't cover ever single eventuality. It
>> locks one door, not all doors, no? I'd be curious about that "left off
>> the domain" one; if an ISP were already rejecting mail from domains
>> that don't resolve, I doubt it would have been delivered.
> When I was managing a mail server, 3 years ago, I saw many phishing emails where the display name was designed to fool our customers into thinking the email was from us.  The email address part of the From: was from valid domains that would often pass SPF and various other checks and would thus not be rejected by our system based on domain validity. We did however create custom heiristics to catch these emails and hold them for review, so they weren't delivered to our customers, but this was of course not a general solution to the problem. 
> As has been pointed out in this thread, this issue is not something DMARC was designed to solve and is really an MUA issue. However, if we look at these sorts of emails, from the user's point of view, the fact the MUA makes it appear the email is from a known aol sender, is just as bad as if the phish were done using the full aol.com domain.
> I didn't have a general purpose solution to the problem 3 years ago and I still can't think of one that doesn't involve the MUAs changing their behavior. 

So I raised a point on dmarc at ietf.org with the problem of spam filtering based on content, vs identifiers.

Bayesian type of spam filtering looks at the content and select meaningful words to classify the content, however it may not choose the domain in the From: therefore at long as the email looks like the same as something known, then it is classified as good.

If we can tweak the classifier to indicate the domain in the From is very important, and that a type of email usually associated with a domain, when seen but from a different domain would be considered as more suspicious.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140605/640912f4/attachment.bin>

More information about the dmarc-discuss mailing list