IETF Logo Mail Archive

Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

Matt Simerson <matt@tnpi.net> Sat, 06 July 2013 19:01 UTC

Return-Path: <matt@tnpi.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9618921F9CC1 for <dmarc@ietfa.amsl.com>; Sat, 6 Jul 2013 12:01:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bw4bKReeNZnX for <dmarc@ietfa.amsl.com>; Sat, 6 Jul 2013 12:01:33 -0700 (PDT)
Received: from mail.theartfarm.com (mail.theartfarm.com [208.75.177.101]) by ietfa.amsl.com (Postfix) with ESMTP id E25AA21F9CDD for <dmarc@ietf.org>; Sat, 6 Jul 2013 12:01:32 -0700 (PDT)
Received: (qmail 88099 invoked by uid 1026); 6 Jul 2013 19:01:32 -0000
Received: from c-76-121-98-64.hsd1.wa.comcast.net (HELO [10.0.1.32]) (76.121.98.64) by mail.theartfarm.com (qpsmtpd/0.93) with (AES128-SHA encrypted) ESMTPSA; Sat, 06 Jul 2013 15:01:32 -0400
Authentication-Results: mail.theartfarm.com; auth=pass (plain) smtp.auth=matt@theartfarm.com; iprev=pass
X-Virus-Checked: by ClamAV 0.97.8 on mail.theartfarm.com
X-Virus-Found: No
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tnpi.net; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=mar2013; bh=/IBWCLoxWG+wXb8SnOw/RT7jjTa0xyY/F//hHf2hOIQ=; b=yA1DWdmP8/w2HPaqWdR92glQG4aQQgzOct7op1AqtGj0SUFjTGADZeeHY205t+PCqJkdjORwIPNjOpeC/RMrhy0q1eCRHaHpxiyN4cyrecKUD4sj5yaVsAYfl0rymSvRzSckwU/6pHAtJxa5S9vwIb3KFTf/h/Sv8LIXSDY4Mw91YcZbu+szF+iXoi1DlCg3JEa2BDNbshqaX1i8DlUqVYThLqkc5bJlbQdah3rhPAkpYU3U64yobQmKHplfXi/GdqAxdaT1I1ONIkpdviSrpdbDgI1+Gh88A15mY7A8AKAW/UkYUbW5V1VC1D0sIvt+UNa2ne7INcK5B9VnCpI7NQ==
X-HELO: [10.0.1.32]
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Matt Simerson <matt@tnpi.net>
In-Reply-To: <51D864EC.1040105@gmail.com>
Date: Sat, 06 Jul 2013 12:01:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <EE6EA5CF-7D73-4952-A65A-736251B3811A@tnpi.net>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <BD1F96A6-2D86-4FE7-89CC-E52CA32670D0@tnpi.net> <51D864EC.1040105@gmail.com>
To: Dave Crocker <dcrocker@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2013 19:01:48 -0000

On Jul 6, 2013, at 11:41 AM, Dave Crocker <dcrocker@gmail.com> wrote:

> On 7/6/2013 11:18 AM, Matt Simerson wrote:
>>>    A cousin domain is a registered domain name that is deceptively
>>> similar to a target domain name.  <snip> The deceptive similarity can trick the user by embedding the
>>> essential parts of the target name, in a new string, or it can use
>>> some variant of the target name, such as replacing 'i' with '1'.
>> 
>> I inserted the word 'usually'.
> 
> That's a kind of careful phrasing that makes sense for precise specification, but I think is actually distracting for the usage here.
> 
> That is, I think that extra qualifiers in definitions are, ummmm... usually distracting...
> 
> It's not that it's wrong; it's that I doubt it's as helpful as we'd like.

Why not remove the domain familiarity part entirely? The essence of a cousin domain is not in the victims familiarity with the target domain name (which is less common than technophiles would hope) but in the victims familiarity with the organizational name in the domain.

Matt

v2.23.0 | Report a Bug | By Email