IETF Logo Mail Archive

Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

"MH Michael Hammer (5304)" <MHammer@ag.com> Mon, 08 July 2013 12:54 UTC

Return-Path: <MHammer@ag.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119A221F85B3 for <dmarc@ietfa.amsl.com>; Mon, 8 Jul 2013 05:54:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yq5NL61CdcHU for <dmarc@ietfa.amsl.com>; Mon, 8 Jul 2013 05:54:45 -0700 (PDT)
Received: from agwhqht.amgreetings.com (agwhqht.amgreetings.com [207.58.192.4]) by ietfa.amsl.com (Postfix) with ESMTP id CEF2521F85B2 for <dmarc@ietf.org>; Mon, 8 Jul 2013 05:54:44 -0700 (PDT)
Received: from USCLES544.agna.amgreetings.com ([fe80::f5de:4c30:bc26:d70a]) by USCLES532.agna.amgreetings.com ([::1]) with mapi id 14.02.0328.009; Mon, 8 Jul 2013 08:54:43 -0400
From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: Elizabeth Zwicky <zwicky@yahoo-inc.com>, Dave Crocker <dcrocker@gmail.com>, Matt Simerson <matt@tnpi.net>
Thread-Topic: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
Thread-Index: AQHOeniLl550DQeef0eSVgi0uIx72plYQgIAgAJ9JPA=
Date: Mon, 08 Jul 2013 12:54:42 +0000
Message-ID: <CE39F90A45FF0C49A1EA229FC9899B056E8F6B@USCLES544.agna.amgreetings.com>
References: <51D864EC.1040105@gmail.com> <CDFDB559.A9994%zwicky@yahoo-inc.com>
In-Reply-To: <CDFDB559.A9994%zwicky@yahoo-inc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.144.15.228]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 12:54:49 -0000

I don't think it is just that the target domain is familiar to the users under attack. It is the "brand identity". That is, the users under attack may be familiar with the brand but not necessarily familiar with the exact domain that the brand/organization uses.

Mike

> -----Original Message-----
> From: dmarc-bounces@ietf.org [mailto:dmarc-bounces@ietf.org] On Behalf
> Of Elizabeth Zwicky
> Sent: Saturday, July 06, 2013 2:52 PM
> To: Dave Crocker; Matt Simerson
> Cc: SM; dmarc@ietf.org; Murray S. Kucherawy; Eliot Lear
> Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's
> review of the DMARC spec)
> 
> 
> I would say that the target domain is familiar to the users under attack.
> 
> 	Elizabeth
> 
> On 7/6/13 11:41 AM, "Dave Crocker" <dcrocker@gmail.com> wrote:
> 
> >Thanks for the quick feedback.
> >
> >some additional thoughts...
> >
> >
> >On 7/6/2013 11:18 AM, Matt Simerson wrote:
> >>>     A cousin domain is a registered domain name that is deceptively
> >>> similar to a target domain name.  The target domain is *usually
> >>> *familiar to many end-users, and therefore imparts a degree of trust.
> >>>  The deceptive similarity can trick the user by embedding the
> >>> essential parts of the target name, in a new string, or it can use
> >>> some variant of the target name, such as replacing 'i' with '1'.
> >>
> >> I inserted the word 'usually'.
> >
> >That's a kind of careful phrasing that makes sense for precise
> >specification, but I think is actually distracting for the usage here.
> >
> >That is, I think that extra qualifiers in definitions are, ummmm...
> >usually distracting...
> >
> >It's not that it's wrong; it's that I doubt it's as helpful as we'd like.
> >
> >
> >> In addition to providing basic examples, perhaps include the well
> >> defined and recognized terms: typosquatting, and IDN homographs?
> >>
> >> https://en.wikipedia.org/wiki/Typosquatting
> >> https://en.wikipedia.org/wiki/IDN_homograph_attack
> >
> >yeah, and probably cite the dhs.gov text, to show some history to the
> >key phrase.
> >
> >d/
> >
> >
> >--
> >Dave Crocker
> >Brandenburg InternetWorking
> >bbiw.net
> >_______________________________________________
> >dmarc mailing list
> >dmarc@ietf.org
> >https://www.ietf.org/mailman/listinfo/dmarc
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email