[dmarc-discuss] the obvious lookalike attack

J. Gomez jgomez at seryrich.com
Sat Jun 7 14:49:15 PDT 2014


On Saturday, June 07, 2014 10:57 PM [GMT+1=CET], John Levine via dmarc-discuss wrote:

> > A claim that attackers will use work-arounds creates a desire for
> > measuring use of work-arounds...
> 
> Here's an anecdote: I've been getting a fair amount of spam from what
> are obviously stolen AOL address books, since I recognize the sender
> and the other recipients.  Now I'm getting the same spam, but the
> From: line has her name as the comment, same as always, but some
> random non-AOL address.
> 
> I suppose that suggests that DMARC may have been somewhat effective at
> stopping the phish using the exact address, so they're doing what
> lists 
> do, munge the address to hide it from DMARC.

Yes, but users[*] more-or-less have learnt to expect contrived messages from mailing lists (altered Subject, footer added, and now altered From line...), but they certainly do not expect contrived messages from real people they already know, so if they get them it should raise alarm flags with the user... we can expect.
 
[*] The small fraction of users using mailing lists, instead of social networking web services and web forums.
 
Again, at the end of the chain, the user has to exert some judgment, always.

Regards,
J.Gomez




More information about the dmarc-discuss mailing list