Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

Barry Leiba <barryleiba@computer.org> Mon, 08 July 2013 21:12 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62F7221F9DFB for <dmarc@ietfa.amsl.com>; Mon, 8 Jul 2013 14:12:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.971
X-Spam-Level:
X-Spam-Status: No, score=-101.971 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUs7WtVDnMv7 for <dmarc@ietfa.amsl.com>; Mon, 8 Jul 2013 14:12:27 -0700 (PDT)
Received: from mail-ve0-x22a.google.com (mail-ve0-x22a.google.com [IPv6:2607:f8b0:400c:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 64DD421F9DB0 for <dmarc@ietf.org>; Mon, 8 Jul 2013 14:12:27 -0700 (PDT)
Received: by mail-ve0-f170.google.com with SMTP id 14so4029855vea.15 for <dmarc@ietf.org>; Mon, 08 Jul 2013 14:12:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=IPuUTFQLVnbXlx5Su1QosJpRW6RNToJcxa+4HSRLh18=; b=hy509eJujr7KtGzj/wbmaTS8ftFE1/dmgRZvpDeBeHB326zSedBdef74JjWvjzkUat rc3kJ8svKpHI59hIJ5eqrmOgbiXkppSmZqO5bvsm3dRkI69MkXjrOW0Z4Zkogt3/6uPJ oqytLp5bvWi0fJhvAkxfoOCYCLqXy6m3+RXNq4o38J9QlOGCIl4sN5nG97sPBImEHOmS Qs7qXawE2NdV61BmND14FvT12l2qh0R3tiGhXogujuR2rxEsKAQ6+kXbyQrZlTzK5x34 wk4nj92ia+g22j+sHxeGTELFXocj4nu1q/VvyCY6gUKXBNFx3PjbK8ZompD2+CbtvPKM uK1g==
MIME-Version: 1.0
X-Received: by 10.220.44.195 with SMTP id b3mr14855634vcf.62.1373317946835; Mon, 08 Jul 2013 14:12:26 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.58.137.227 with HTTP; Mon, 8 Jul 2013 14:12:26 -0700 (PDT)
In-Reply-To: <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <CAL0qLwZAVH=bK=jZKuk4ZkcELSXQ0SB5_WoHKETTZwo5f43Qtw@mail.gmail.com> <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com>
Date: Mon, 08 Jul 2013 17:12:26 -0400
X-Google-Sender-Auth: ftk0o2qX0sUK7A8VqYoFVWRjajM
Message-ID: <CAC4RtVAmPksYdS=iT2TNN82nGgNLGkX1gZoEUggX9xcgZWoZUw@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 21:12:28 -0000

> How's this, if you'll pardon the XML?
>
>  <t hangText="Cousin Domain:"> A registered domain name that
>      is deceptively similar to a target name, which can be a
>      domain name or the name of a known entity.  The target
>      name is familiar to many end-users, and therefore
>      imparts a degree of trust.  The deceptive similarity can
>      trick the user by embedding the essential parts of the
>      target name in a new string (e.g.,
>      "companysecurity.example" to attack "company.example"),
>      or it can use some variant of the target name, such as
>      replacing 'i' with '1'.  This latter form is sometimes
>      known as a "homograph attack".  </t>

If it's not too late to change the term "cousin domain" for this, I
suggest finding another term.  "Cousin" implies a legitimate relation,
which this isn't.  I would consider, say, "ibm.com" and "lotus.com" to
be cousin domains.  I might consider "microsoft.com", "hotmail.com",
and "skype.com" to be cousin domains.  Things that try to look like
they're related, but *aren't*, are what we're talking about here, and
I don't think of those as cousins.

Barry