[dmarc-discuss] On Inbound DMARC Support
fmartin at linkedin.com
Fri Jun 20 09:56:03 PDT 2014
On Jun 20, 2014, at 9:31 AM, Steve Atkins via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
> On Jun 20, 2014, at 8:45 AM, Brian Westnedge via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:
>> Here's a simple use case for a spear-phisher where DMARC could be effective on the inbound:
>> 1. Phisher targets a specific exec at bigbank.com
>> 2. Phisher sends fake FedEx tracking email from fedex.com (p=reject) to exec's admin with a note from exec for admin to track a shipment that has been ordered
>> 3. Assuming DMARC is not being checked on the inbound, Admin clicks malicious tracking number link, credentials are stolen, breach ensues
>> The above does of course assume that the phisher is either not familiar with DMARC, or thinks that it won't be checked by a B2B entity like bigbank.com.
> Right. Any approach that's predicated on the assumption that someone behind a spear-phishing (or other "APT"-esque) attack is stupid and/or unaware of generally known anti-phishing approaches is probably flawed. As is any that assumes that once the spear-phisher sends one email that bounces they're going to just give up on that target and move on.
Your logic is flawed, because you imply that therefore DMARC is useless in fighting spear-phishing. The next conclusion, is that all anti-spam techniques are useless, because they don’t solve spam as a whole…
Spear phishing nowadays is not that targeted and are usually stupid and extremely effective. Once they are obliged to use a non DMARC protected domain, it becomes easier to spot.
DMARC is only a tool that close a specific hole, you need to close the other holes, so you can manually watch the few that are left...
Oh, and data has shown that they are indeed moving on to non DMARC protected domains...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the dmarc-discuss