[dmarc-discuss] the obvious lookalike attack

Al Iverson aiverson at spamresource.com
Sat Jun 7 16:07:00 PDT 2014


On Sat, Jun 7, 2014 at 3:57 PM, John Levine via dmarc-discuss
<dmarc-discuss at dmarc.org> wrote:
>>A claim that attackers will use work-arounds creates a desire for
>>measuring use of work-arounds...
>
> Here's an anecdote: I've been getting a fair amount of spam from what
> are obviously stolen AOL address books, since I recognize the sender
> and the other recipients.  Now I'm getting the same spam, but the
> From: line has her name as the comment, same as always, but some
> random non-AOL address.
>
> I suppose that suggests that DMARC may have been somewhat effective at
> stopping the phish using the exact address, so they're doing what lists
> do, munge the address to hide it from DMARC.

Not sure what you're looking for here. I know that when I look at it,
I see that more and more mail is signed; thus applying a stable
identifier to attach reputation to. In this case, bad reputation,
because the mail is spam or phish and likely to be reported as such.

So you have
1. Bad guy can't use AOL.com
2. Bad guy forced to use some other domain
3. If some other domain is signed, reputation of that domain goes down quickly
4. If some other domain not signed, receivers likely to examine that
mail more closely/treat it as more likely to be suspect to begin with,
maybe?

I'm still back to, If I was aol.com, I'd still want the bad guys off
of aol.com. I also think it's a bit simplistic to assume that there's
nothing else in that message that might have made it filterable. DBL'd
domain? CBL'd IP? (My point being....every single one of these efforts
catches some spam, not all spam.)

Is your perspective, this is all a lost battle to begin with and thus
nobody should use DMARC in that scenario? I'm not assuming; I'm
asking. What do you want to have happen?

Regards,
Al Iverson


More information about the dmarc-discuss mailing list