[dmarc-discuss] DMARC thwarted already?

Franck Martin fmartin at linkedin.com
Fri Jun 6 07:31:29 PDT 2014


On Jun 5, 2014, at 5:34 PM, Terry Zink via dmarc-discuss <dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>> wrote:

Franck,

> See the end of the email, where I argued this case… and It is hard to create
> a club and define the entry level which is open to all, provided they meet
> some requirements.

Yes, it is difficult and I think it’s one of the biggest barriers to getting a common solution for trusted senders. I don’t think that your solution of authentication-only is enough, as I explain below.

> Besides whoever registered 1inkedin.com<http://1inkedin.com/> and use it to misrepresent us, may have
> to deal with our lawyers… and I’m not a lawyer… and that would be after
> spamhaus and/or surbl certainly list this domain...

Whether or not they deal with your lawyers is beside the point. If the only criteria for highlighting with a green bar is authentication, then not only can phishers do this by impersonating trusted brands, but so can run-of-the-mill spammers. In Office 365, we are dealing with a spammer who every day registers dozens of new domains and sets up SPF. It would be trivial for him to set up DKIM and DMARC. It’s true that SURBL or Spamhaus may list his domains but it doesn’t matter from his perspective because he abandons it after he has made his money with it anyhow.

Not only that, but we would then have the worst of both worlds. Users see a green bar for both trusted domains *and* spamming domains. We are training users that the green bar means… what, exactly? They’re supposed to trust the green bar but this is not possible if senders can self-validate.


Hmm... Anyone can have a SSL certificate on any domain, sometimes, even on a domain they don't own... Yes it should be authentication only. The user can read the domain name, and see if it correspond to something he/she knows.

As for your current case, there are a few techniques to alleviate this problem, one which is to rate limit any new account till you have built a reputation.

We all suffer from mass creation of bad accounts, there are techniques to find out who register what and limit it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140606/1ed2d062/attachment.html>


More information about the dmarc-discuss mailing list