IETF Logo Mail Archive

Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

Franck Martin <fmartin@linkedin.com> Sat, 06 July 2013 19:20 UTC

Return-Path: <prvs=892313021=fmartin@linkedin.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68B8021F9A6A for <dmarc@ietfa.amsl.com>; Sat, 6 Jul 2013 12:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.198
X-Spam-Level:
X-Spam-Status: No, score=-6.198 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNqtVAfiHhh4 for <dmarc@ietfa.amsl.com>; Sat, 6 Jul 2013 12:20:28 -0700 (PDT)
Received: from esv4-mav04.corp.linkedin.com (esv4-mav04.corp.linkedin.com [69.28.149.80]) by ietfa.amsl.com (Postfix) with ESMTP id 11D2121F9A30 for <dmarc@ietf.org>; Sat, 6 Jul 2013 12:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; i=@linkedin.com; q=dns/txt; s=proddkim1024; t=1373138428; x=1404674428; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=/U/KDuswIbXXOivFI6sBk7lCjKofhd/T1c5Tfxzm8kU=; b=NOv/yLa+Xs9XBN8E2pxqG8DAqk2CTjg2l1ldZpguk3uM2YSkYQ00u4ae /a+/zvKV5MoVgllPfLcIQ022RiRx4zLoUt7BfgMLh1XZ6MRlev0RzBcqU uuJeeqQ+TmkUCsTd6EYO2MtpVFbFcTRQdBJPqnfsnAvzJE11QEhk77S1Z k=;
X-IronPort-AV: E=Sophos;i="4.87,1010,1363158000"; d="scan'208";a="53241931"
Received: from ESV4-MBX02.linkedin.biz ([fe80::20f1:6264:6880:7fc7]) by esv4-cas02.linkedin.biz ([172.18.46.142]) with mapi id 14.02.0328.011; Sat, 6 Jul 2013 12:20:10 -0700
From: Franck Martin <fmartin@linkedin.com>
To: Matt Simerson <matt@tnpi.net>
Thread-Topic: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
Thread-Index: AQHOens/xA0+0/WmvEmOAIUmr9YDwplYfBwA
Date: Sat, 06 Jul 2013 19:20:10 +0000
Message-ID: <77426B543150464AA3F30DF1A91365DE53A80000@ESV4-MBX02.linkedin.biz>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <BD1F96A6-2D86-4FE7-89CC-E52CA32670D0@tnpi.net> <51D864EC.1040105@gmail.com> <EE6EA5CF-7D73-4952-A65A-736251B3811A@tnpi.net>
In-Reply-To: <EE6EA5CF-7D73-4952-A65A-736251B3811A@tnpi.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.18.46.253]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <97CBB744243F11479DEB154F2CFD52D0@linkedin.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Dave Crocker <dcrocker@gmail.com>, SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2013 19:20:35 -0000

On Jul 6, 2013, at 12:01 PM, Matt Simerson <matt@tnpi.net> wrote:

> 
> On Jul 6, 2013, at 11:41 AM, Dave Crocker <dcrocker@gmail.com> wrote:
> 
>> On 7/6/2013 11:18 AM, Matt Simerson wrote:
>>>>   A cousin domain is a registered domain name that is deceptively
>>>> similar to a target domain name.  <snip> The deceptive similarity can trick the user by embedding the
>>>> essential parts of the target name, in a new string, or it can use
>>>> some variant of the target name, such as replacing 'i' with '1'.
>>> 
>>> I inserted the word 'usually'.
>> 
>> That's a kind of careful phrasing that makes sense for precise specification, but I think is actually distracting for the usage here.
>> 
>> That is, I think that extra qualifiers in definitions are, ummmm... usually distracting...
>> 
>> It's not that it's wrong; it's that I doubt it's as helpful as we'd like.
> 
> Why not remove the domain familiarity part entirely? The essence of a cousin domain is not in the victims familiarity with the target domain name (which is less common than technophiles would hope) but in the victims familiarity with the organizational name in the domain.
> 
I think we should completely remove the notion of cousin domains or at least include it as part of a subset of grief, which is any email that claims to be from a brand regardless of the domain present in the From:

It seems to me, the miscreants do not care anymore what domain they put there... At least that's my experience.

v2.23.0 | Report a Bug | By Email