[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

David Woodhouse dwmw2 at infradead.org
Sat Jun 7 22:22:01 PDT 2014

On Sat, 2014-06-07 at 16:42 -0400, Larry Finch via dmarc-discuss wrote:
> DMARC really sounded good when it was first defined and spec’d. And it
> DOES prevent spoofing a Yahoo or AOL address, but does nothing to
> prevent spoofing a Yahoo or AOL user, (or Chase, Wells-Fargo, Bank of
> America, etc) as my inbox has proven over the past few days. 

For the banks, there's a much simpler solution anyway. Banks should be
S/MIME-signing all their customer-facing outbound mail, and a customer
should know with 100% certainty that if they get a mail which isn't
S/MIME signed with the bank's certificate, it's a fake.

I know the X.509 certificate authorities aren't perfect, but they work
tolerably for secure web sites and the users understand them as much as
they are ever going understand anything security-related.

Any bank *not* signing its direct-to-customer email should be prosecuted
as an accessory to fraud which it is enabling by actively training its
customers to succumb to phishing :)

(Let's see how this S/MIME-signed mail is handled by MUAs when the From
address is mangled to no longer match the owner of the cert...)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140608/67abb4ff/attachment.bin>

More information about the dmarc-discuss mailing list