[dmarc-discuss] On Inbound DMARC Support

Brian Westnedge Brian.Westnedge at returnpath.com
Fri Jun 20 08:45:24 PDT 2014


Here's a simple use case for a spear-phisher where DMARC could be effective on the inbound:

1. Phisher targets a specific exec at bigbank.com
2. Phisher sends fake FedEx tracking email from fedex.com (p=reject) to exec's admin with a note from exec for admin to track a shipment that has been ordered  
3. Assuming DMARC is not being checked on the inbound, Admin clicks malicious tracking number link, credentials are stolen, breach ensues 

The above does of course assume that the phisher is either not familiar with DMARC, or thinks that it won't be checked by a B2B entity like bigbank.com.

Regards,
Brian

-----Original Message-----
From: dmarc-discuss [mailto:dmarc-discuss-bounces at dmarc.org] On Behalf Of Steve Atkins via dmarc-discuss
Sent: Friday, June 20, 2014 8:12 AM
To: dmarc-discuss
Subject: Re: [dmarc-discuss] On Inbound DMARC Support

> - DMARC is effective against one of the most effective forms of 
> phishing

No, it's not.

DMARC will briefly reduce bulk phishing from phishers who don't know about DMARC. But, after that very brief lull it'll have minimal effect.

It doesn't affect anything that's visible to the end user. It doesn't make it any easier (or more difficult) to filter out phishes by content (or by using domain-based whitelisting or ...).

It does mean that end users will be trained to accept that "the From:
field will sometimes look funny".

It certainly won't slow down a sophisticated spear phisher, which is the sort of phishing you're talking about when you're discussing compromising corporate networks.




More information about the dmarc-discuss mailing list