Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

Matt Simerson <matt@tnpi.net> Mon, 08 July 2013 02:27 UTC

Return-Path: <matt@tnpi.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E385921F9F04 for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 19:27:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdbKsxx3stRp for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 19:27:24 -0700 (PDT)
Received: from mail.theartfarm.com (mail.theartfarm.com [208.75.177.101]) by ietfa.amsl.com (Postfix) with ESMTP id D79B521F9D3E for <dmarc@ietf.org>; Sun, 7 Jul 2013 19:27:23 -0700 (PDT)
Received: (qmail 73458 invoked by uid 1026); 8 Jul 2013 02:27:23 -0000
Received: from c-76-121-98-64.hsd1.wa.comcast.net (HELO [10.0.1.32]) (76.121.98.64) by mail.theartfarm.com (qpsmtpd/0.93) with (AES128-SHA encrypted) ESMTPSA; Sun, 07 Jul 2013 22:27:23 -0400
Authentication-Results: mail.theartfarm.com; auth=pass (plain) smtp.auth=matt@theartfarm.com; iprev=pass
X-Virus-Checked: by ClamAV 0.97.8 on mail.theartfarm.com
X-Virus-Found: No
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tnpi.net; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=mar2013; bh=zU6/BtH7XONnZP2I6U0PSeZXxUPkkoT7QEHEArUh5WE=; b=GyyDZigF/RBeZolKDkOUFGotZ+tjZWydjP6SKWERyJX8vFIzmZOB2iMIXkAgU5kNxvOxDlJUOLzyUvvUwKPXBeQ1O/9PTCeQbtiTUleF3qqyiOiL4a4SCcVo6OAuDbs0XhCVfhbLfdyof5S0ANOq6ka2IcDWdb4PSP3BO5lIlJzg2UjU+6102/7VGhEAdx5a1nrSrDH6J+BAMuqCa8MF4qDorcOu19y+Ya22hzuIVfPv5UrkBQgV1cyhl41Zk+GhHxREAFfSndMFAjf5qf8QbN/uV/FkBVAcAG8ZPSSq2nSDlSC2vmmcFOhAKSlFqdZUStWSZ8kKEO33WnzrX9Q84A==
X-HELO: [10.0.1.32]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Matt Simerson <matt@tnpi.net>
In-Reply-To: <D9CB0D71-453D-48BC-8049-0A89B6CC6394@tnpi.net>
Date: Sun, 07 Jul 2013 19:27:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <11ACB6D3-2A24-4813-AEF8-5DF52208FB3C@tnpi.net>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <CAL0qLwZAVH=bK=jZKuk4ZkcELSXQ0SB5_WoHKETTZwo5f43Qtw@mail.gmail.com> <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com> <D9CB0D71-453D-48BC-8049-0A89B6CC6394@tnpi.net>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: Dave Crocker <dcrocker@gmail.com>, SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 02:27:28 -0000

Oh humbug, the formatting was stripped out.

<t hangText="Cousin Domain:"> A registered domain name that   
                       is deceptively similar the name of a known entity.  The entity
                       name is familiar to users and therefore 
                       imparts a degree of trust.  The deceptive similarity can  
                       trick the user by embedding the essential parts of the    
                       entity name in a new string (e.g., 
                       "companysecurity.example" to attack "company.example"),  
                       or it can use some variant of the entity name, such as 
                       replacing 'i' with '1'.  This latter form is sometimes    
                       known as a "homograph attack". </t>   

On Jul 7, 2013, at 7:25 PM, Matt Simerson <matt@tnpi.net> wrote:

> On Jul 7, 2013, at 12:25 AM, "Murray S. Kucherawy" <superuser@gmail.com> wrote:
> 
>> How's this, if you'll pardon the XML?
>> 
>>                                       
> 
> I simplified the description by removing the 'target' abstraction. There are legitimate purposes for cousin domains, such as helping poor spellers and heading off typosquatting. 
> 
> I don't think the distinction of end-users is helpful. It implies that some class of users are not susceptible to cousin domain attacks. There's ample evidence that is not the case. 
> 
> Matt
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc