[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy
dwmw2 at infradead.org
Sat Jun 7 22:22:01 PDT 2014
On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss wrote:
> DMARC really sounded good when it was first defined and spec’d. And it
> DOES prevent spoofing a Yahoo or AOL address, but does nothing to
> prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank of
> America, etc) as my inbox has proven over the past few days.
For the banks, there's a much simpler solution anyway. Banks should be
S/MIME-signing all their customer-facing outbound mail, and a customer
should know with 100% certainty that if they get a mail which isn't
S/MIME signed with the bank's certificate, it's a fake.
I know the X.509 certificate authorities aren't perfect, but they work
tolerably for secure web sites and the users understand them as much as
they are ever going understand anything security-related.
Any bank *not* signing its direct-to-customer email should be prosecuted
as an accessory to fraud which it is enabling by actively training its
customers to succumb to phishing :)
(Let's see how this S/MIME-signed mail is handled by MUAs when the From
address is mangled to no longer match the owner of the cert...)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5745 bytes
Desc: not available
More information about the dmarc-discuss