[dmarc-discuss] DMARC thwarted already?

Josh Aberant jaberant at twitter.com
Thu Jun 5 20:45:17 PDT 2014

Perhaps your example would be a successful look alike domain for using in
phishing attacks or perhaps not. The data I have from some ops processes
around helping users recover their accounts lost from phishing may indicate
that there's only a few hundred look alikes of a domain that actually work
on any given target.

It would certainly be an interesting project to aggregate data from other
domains who's users are under attack and get more accuracy rather than just
hypothesis. If it turns out that there are usually only a few hundred or
even a few thousand look-alike permutations of a target domain that work in
phishing attacks then the current DMARC spec already provides a real-way to
mitigate the look alike vector.


On Thu, Jun 5, 2014 at 8:24 PM, John Levine <johnl at taugh.com> wrote:

> >While there's many permutation of letters and symbols that can make a
> >domain only a few will be close enough to be used for the purposes of
> >fooling someone to think its another domain that they regularly  interact
> >with.  (E.g. Someone isn't going to be fooled that t43397u.com looks like
> >twitter.com.)
> No, but they'll be fooled by wellsfargo.com.banker.email (available,
> grab it while you can.)  There's also a variety of IDN tricks involving
> lookalike characters that aren't used much in the US but are popular
> elsewhere.
> R's,
> John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140605/4187c5a7/attachment-0001.html>

More information about the dmarc-discuss mailing list