IETF Logo Mail Archive

Re: [dmarc-ietf] About user notification in the MUA

"Murray S. Kucherawy" <superuser@gmail.com> Mon, 08 June 2020 08:11 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2498B3A097E for <dmarc@ietfa.amsl.com>; Mon, 8 Jun 2020 01:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wm7jFcSkek4I for <dmarc@ietfa.amsl.com>; Mon, 8 Jun 2020 01:11:19 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D17C3A097C for <dmarc@ietf.org>; Mon, 8 Jun 2020 01:11:13 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id d21so8885617vsh.12 for <dmarc@ietf.org>; Mon, 08 Jun 2020 01:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nRfrockg00Z5kcF9KGippaR5+U781MPs2YwVpVdBa8E=; b=vHe6Uc6POb67J1V53x8ZEtcl3VFz8ODR/dPNT1BzIKop+7cAIXQpt3KhoyG8OXI3Ed jMyywno+vd5YhKy19sTMArqjyxNSnsncJaDwz1l123XxlLnq9iDxB8DrivXXCVjCjD3h JMDTIvBkxvE0YjqEJfRWnw+Ti4IteRlbvWWQ0e6kl2GiYjRNtcIj3fyOJWHLjGJzuhTh 8r/SlrgAXL/fQkzr16M62GmNYt71H0dymFbO4WdEGB6I37STVEa81weyQzPTc2v3rHx+ NRQy2C9GebZskCwNZzC8vfvJEzkmYrOU8w7STIOiIb2ZDqoF0Zo50/mmbu6BBfKkoz0W yLpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nRfrockg00Z5kcF9KGippaR5+U781MPs2YwVpVdBa8E=; b=sdfpbuK8pnTW4QA09oOmnxAdiE68gcm/5TUG009itSriskmt6NYIZurzsbG2hf/pmU t6TV+42AhdysAPt9IwFLTXBFVybJA7ejO79mO8VImguepjHVCNWkV1y7L3srVvS0pJvp POOYoQ2KU6nuqyZkm3xfwEtab5GT32L3KRX3fv/GsmvNwxIH/WD9LhC2w54wr8sZki/+ mVdRPmimu44cfKaJYz93wAdNpndmwpoXkS2nnwKLtGkiCqkpCom8YbFcJQpF125MRE7K 4olUsLD3z8fRX4DRG6rX0/ANOo+JE97VUedxHFDcIFljzgbfAQxXAk7KKQVq8QI2o4Yq zssg==
X-Gm-Message-State: AOAM530i0n5C5+a3sgLpfe561Jm2+fhRRhZzFTNgL1ojlPuuCSlyly5m x/YVr7x+rwSk4FDIklVqQVkLGVEjpTIMRooAfDsrN4fp
X-Google-Smtp-Source: ABdhPJxWjPxJED/T1gWISxJBb1ele0fCnGR6ZyXmVQeJHYRropyyg6Idz4s/gSINpehFTgR6DAn2zO3rAZL3m5QzMmk=
X-Received: by 2002:a67:7dcd:: with SMTP id y196mr13954127vsc.13.1591603871949; Mon, 08 Jun 2020 01:11:11 -0700 (PDT)
MIME-Version: 1.0
References: <DM5PR0601MB367115AD49513EAF3953716CF68B0@DM5PR0601MB3671.namprd06.prod.outlook.com> <11640715.3lbasgNmsr@sk-desktop> <25420528-d356-0273-ceb3-c44a3c94bc91@gmail.com> <3138524.EPDo7oxCqE@sk-desktop> <4620e21f-32c5-7735-9faf-a5b045f84c0d@bluepopcorn.net> <ac0f684a-4c00-0564-8cf9-5b955e037c87@tana.it> <14fe18acad53467a8027e680dfc1067e@bayviewphysicians.com> <46e045ae-9691-4f5b-86bf-142c066458d8@www.fastmail.com> <fbbcc299-98f3-5d23-15e1-1f89fa03b9a7@gmail.com> <dbcc34fb870e45b2b1cd3903b90b8a87@bayviewphysicians.com> <33b12416-cd41-4826-9950-3afc9fdb83bf@www.fastmail.com> <3eb519fc08214b4bb23ed00737cdc0db@bayviewphysicians.com>
In-Reply-To: <3eb519fc08214b4bb23ed00737cdc0db@bayviewphysicians.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 08 Jun 2020 01:11:00 -0700
Message-ID: <CAL0qLwY=DxNBOGJA7g5mK3ivjUM2TLdRrFvpq5HOzB0XaamJXw@mail.gmail.com>
To: fosterd@bayviewphysicians.com
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000069265005a78e2748"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/loRU9hzMNuJSE3ER22HIucV4JE0>
Subject: Re: [dmarc-ietf] About user notification in the MUA
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 08:11:22 -0000

On Sun, Jun 7, 2020 at 11:04 PM Douglas E. Foster <
fosterd@bayviewphysicians.com> wrote:

> Stan Kalisch asks:  And you propose the average user can understand, much
> less take the time to understand, the substance?
>
> Yes.   I believe users are worried about spam, and want to make
> intelligent decisions about whether or not email can be trusted.
> Unfortunately, our present software denies them access to the available
> information needed to make intelligent decisions.
>

A study presented some years ago now, I think back when DKIM was young, (if
I can find a citation, I will send it along) found that a statistically
significant -- it was more like 18% -- portion of their test subjects would
willingly click on links found in their spam folders if the email found
there looked legitimate.

That's right, they weren't just clicking links in their inboxes, they were
clicking links in a partition of their inbox expressly created, and named,
to store stuff the receiving system thought was probably dangerous.  The
theory, as I recall, was that they were worried they were missing something
important.

Who were these users?  As I recall, the study was run by a collaboration of
banks attempting to ascertain the gullibility of their typical customers.

That seems to be data antithetical to the notion that users are universally
worried about spam and want to make intelligent decisions.  Moreover, these
particular users were presented with information clearly marking these
messages as possibly dangerous, insofar as they had to click through to
their spam folders first.

They did it anyway.

Dave Crocker also observes about end-user signaling failures:       It's
> not that it 'seems to be'. It isn't nearly that soft.  It is that there
> have been multiple efforts over the years and none has demonstrated
> efficacy.
>
>     Then lets restate that assertion in all its ugly elitism, and put it
> into an RFC:
>
> Incontrovertible research shows that humans will always act on malicious
> email, and cannot be taught to do otherwise.   Organizations should deploy
> email if and only if they have automated tools which provide perfect
> protection from unwanted email.     End user training is useless.
>
> I have a higher opinion about my users than that.
>

I wonder on what basis.  Given the contortions through which we went to
produce even the vague text in Appendix D of RFC 6376, we didn't know then
what would work.  I don't think today is any different, or we'd be doing it
already.

-MSK

v2.23.0 | Report a Bug | By Email