[dmarc-discuss] DMARC thwarted already?

Douglas Otis doug.mtview at gmail.com
Thu Jun 5 14:32:06 PDT 2014


On Jun 5, 2014, at 1:49 PM, Les Barstow via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

> I agree - DMARC does not protect against the From description. But if the MUA were to display the full From header rather than the description only, we might be getting somewhere.
> 
> The rest of your response backs up my point; the will to get this done "right" in a broader sense does not exist and we're left with ineffective band-aids and holes large enough to drive a truck full of phish through.

Dear Les,

The general concept of DMARC was to dramatically reduce attack surfaces seen by their recipients.  DMARC is about retaining email as a means to offer notifications.  For many, SMS might cost $0.2 a piece.  Social networking is no panacea either.  Many expose users to unidentified sources of malicious content hidden in obfuscated javascript and unseen iFrames for example.  Ad distribution remains a truly lawless arena where crimes might be funded by fraudulent clicks.

Rather than waiting to lock down every option, banning use of obfuscated javascript, ensuring every identifier resolves, more can be accomplished by simply establishing a chain of trust between various sources.  Sources are then retained only as long as they remain aggressive at excluding _any_ source of abuse.  TPA-Label could be used with ad content, social messaging, mail-lists, small office financial invoicing, even allowing exceptions for DMARC alignment.

Regards,
Douglas Otis  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140605/10804562/attachment.html>


More information about the dmarc-discuss mailing list