[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

Matt Simerson matt at tnpi.net
Mon Jun 9 12:02:22 PDT 2014

On Jun 9, 2014, at 11:34 AM, Murray S. Kucherawy via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

> On Mon, Jun 9, 2014 at 10:49 AM, Larry Finch <finches at portadmiral.org> wrote:
>> User education (if that is possible) is the best defense. 
> I seem to recall a presentation some years ago that discovered over 18% of users go through their spam folders and fall for phishes found in there, on the basis that the spam filtering might cause them to miss something important.

Of course they do, because that's exactly what we've trained them to do!  "You didn't get the email? Check your spam folder."

> It's interesting, but also sad for email, that Kaiser (and perhaps others) has decided this problem is intractable.

Anyone who is subject to HIPAA regulations is *required* to up their security game or face some pretty serious financial penalties. For example, sending email with any Personal Health Information to any of the freemail providers is an absolute no-no. 

> Now, when my doctor sends me a message, I get an email asking me to go to their web site to retrieve the message.  It's a bit annoying to have to log in to a web site to read a single message, but we're guaranteed mutual authentication and message security that way.

At least that way, you're guaranteed that gmail isn't archiving your health stats and showing you ads for "alternative" medications instead of your prescriptions. It's not just health care, other regulated industries have been forced to curtail their use of email because of the lack of security.


More information about the dmarc-discuss mailing list