IETF Logo Mail Archive

Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

"Murray S. Kucherawy" <superuser@gmail.com> Sun, 07 July 2013 07:26 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508E021F9E4D for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 00:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0BYuB+l6cZo for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 00:25:55 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) by ietfa.amsl.com (Postfix) with ESMTP id 1BDAB21F8C66 for <dmarc@ietf.org>; Sun, 7 Jul 2013 00:25:54 -0700 (PDT)
Received: by mail-wi0-f180.google.com with SMTP id c10so3108760wiw.7 for <dmarc@ietf.org>; Sun, 07 Jul 2013 00:25:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cYeZTSIEjYvRNeGEOdAISgCEJDENbwnN3AyvPT1+9CU=; b=Y98gNoCWyRTRzj1O07uwXa44yZF3E4U7E0rkGJ4FQLKtuS9TBZ19gWU0yMWclSwvP8 RgWRkxZN6tUjkkHfATxDiPQd1NGSoBwQkZw+lEw0t4NTPutqfQx1BVtuJt2pb6ddKeXq rz/v+++bRE8H+tmaRgw4mcz2Df5PNtPHMxng43l8bTgRfivvNJrxQczxvwbVRZ1nKGmx lYBNIAyLmO6/UoUdET5GB+4yj/idSUv/6WlEVkGXVauV69G5sg3VjLKniJO8VVZyzb1B pH2ofuhFLiI1A4HOqrAhojD4Jq+rM/hCG6Q5wicPfz91HYO3yRUIZMIrgNBN3YnlzWhJ L+Cg==
MIME-Version: 1.0
X-Received: by 10.180.189.102 with SMTP id gh6mr9195427wic.19.1373181954272; Sun, 07 Jul 2013 00:25:54 -0700 (PDT)
Received: by 10.180.90.16 with HTTP; Sun, 7 Jul 2013 00:25:54 -0700 (PDT)
In-Reply-To: <CAL0qLwZAVH=bK=jZKuk4ZkcELSXQ0SB5_WoHKETTZwo5f43Qtw@mail.gmail.com>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <CAL0qLwZAVH=bK=jZKuk4ZkcELSXQ0SB5_WoHKETTZwo5f43Qtw@mail.gmail.com>
Date: Sun, 07 Jul 2013 00:25:54 -0700
Message-ID: <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Dave Crocker <dcrocker@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c3436a98b40d04e0e6d613"
Cc: SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jul 2013 07:26:00 -0000

On Sat, Jul 6, 2013 at 11:04 PM, Murray S. Kucherawy <superuser@gmail.com>wrote:

> On Sat, Jul 6, 2013 at 10:50 AM, Dave Crocker <dcrocker@gmail.com> wrote:
>
>> So in looking these over, I find myself liking the phrase "deceptively
>> similar".  Hence I'll propose:
>>
>>      A cousin domain is a registered domain name that is deceptively
>> similar to a target domain name.  The target domain is familiar to many
>> end-users, and therefore imparts a degree of trust.  The deceptive
>> similarity can trick the user by embedding the essential parts of the
>> target name, in a new string, or it can use some variant of the target
>> name, such as replacing 'i' with '1'.
>>
>>
> Seems a reasonable starting point.  Might also include a reference to
> "homograph (literally, one appearance) attack".
>
>
How's this, if you'll pardon the XML?

                    <t hangText="Cousin Domain:"> A registered domain name
that
                        is deceptively similar to a target name, which can
be a
                        domain name or the name of a known entity.  The
target
                        name is familiar to many end-users, and therefore
                        imparts a degree of trust.  The deceptive
similarity can
                        trick the user by embedding the essential parts of
the
                        target name in a new string (e.g.,
                        "companysecurity.example" to attack
"company.example"),
                        or it can use some variant of the target name, such
as
                        replacing 'i' with '1'.  This latter form is
sometimes
                        known as a "homograph attack".
</t>

v2.14.0 | Report a Bug | By Email