IETF Logo Mail Archive

Re: [dmarc-ietf] Why are MUAs hiding or removing the From address?

Joseph Brennan <brennan@columbia.edu> Thu, 23 July 2020 13:15 UTC

Return-Path: <jb51@columbia.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E76353A0AB4 for <dmarc@ietfa.amsl.com>; Thu, 23 Jul 2020 06:15:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 099YbcEIzP8Q for <dmarc@ietfa.amsl.com>; Thu, 23 Jul 2020 06:15:15 -0700 (PDT)
Received: from mx0a-00364e01.pphosted.com (mx0a-00364e01.pphosted.com [148.163.135.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A46B3A0AB3 for <dmarc@ietf.org>; Thu, 23 Jul 2020 06:15:14 -0700 (PDT)
Received: from pps.filterd (m0167072.ppops.net [127.0.0.1]) by mx0a-00364e01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06NDCJki004580 for <dmarc@ietf.org>; Thu, 23 Jul 2020 09:15:14 -0400
Received: from sendprodmail10.cc.columbia.edu (sendprodmail10.cc.columbia.edu [128.59.72.18]) by mx0a-00364e01.pphosted.com with ESMTP id 32bw8tubk5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Thu, 23 Jul 2020 09:15:14 -0400
Received: from mail-il1-f197.google.com (mail-il1-f197.google.com [209.85.166.197]) by sendprodmail10.cc.columbia.edu (8.14.4/8.14.4) with ESMTP id 06NDFDPG002208 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <dmarc@ietf.org>; Thu, 23 Jul 2020 09:15:13 -0400
Received: by mail-il1-f197.google.com with SMTP id w10so3430417ilm.16 for <dmarc@ietf.org>; Thu, 23 Jul 2020 06:15:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=YiXa4zO+0l6JAnpxQhXQCC0m/6+S5KX/ruBQWyacvQk=; b=oXfnOKjJjQbwgt/flawqvA+Ma3UigUeLV/nxSwTF4tQ5mtWV8ZMKYY9FCV6hCk1dHB 3VFp+PIB+BWbGS3pWhkdqV4JTzO3xSlp0BZWRpjoH5uebrKYKLAYXUZ9U8Bw5P+C1YlE T8h4pI4JIMERMFpMK0tIl6+gLaTh0PMuFBjcNF+ZIXoCxGYP88Op02Jl3sATYp/ov/Ee Yl/HZUoV9TigHyNRE1WRsmJWEkYp9WNzAt5HRIrC5XCKdfEE836mE3jfhZr3RJLJ0UKr YFSNfjtFB35Vate3EZkGCZLAqkqVWkznts0tl7ap2cwbOCb/8P53wiLw1LJB9wJD6bTI KUfg==
X-Gm-Message-State: AOAM530EQoybErP3gdaKexDN7ABAc+YCkQeAiE6LVDja/jGM01Cj4HnE 5/0hehfkwJMFZS1RKIgBCEyegFKDX5Qb19rm7Kri8mq/VrMvLgdE6jZh0uK73y4+D4lB6OOiz3T Jv5A/f+3RgW/9kc2BCZXMtVnkC4sT2Q==
X-Received: by 2002:a92:c703:: with SMTP id a3mr4538045ilp.159.1595510112665; Thu, 23 Jul 2020 06:15:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwmGFQ4CEXVN7zUBBEJMZEhGD8G00lD9jeGWm1E6oDa3gpjjWkECPZkf2prNSpXPP0vOZsAo8yNnyBz7S3mpIs=
X-Received: by 2002:a92:c703:: with SMTP id a3mr4538010ilp.159.1595510112122; Thu, 23 Jul 2020 06:15:12 -0700 (PDT)
MIME-Version: 1.0
References: <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> <20200717210053.674D61D2C431@ary.qy> <CAL0qLwbkhG-qUyGqxaEjcFn2Lb7wPMhcPFEMA8eqptBJpePPxA@mail.gmail.com> <8efcf71c-f841-46a4-10b7-feb41a741405@gmail.com> <CAL0qLwbK7GQXkiS+H8GtsvHMzWr4o431Shc7Cc9MhqsTiHfzFw@mail.gmail.com> <bc7ed18c-8f1d-b41b-0a4b-3aa180a63563@gmail.com> <CAL0qLwYgs7py1aTQ87pykNT_0dpnrKz=+1DxMMSQMgbwz4XZDg@mail.gmail.com> <5AF00366-DB28-41CB-A1C4-F5BCA77EC969@wordtothewise.com> <CAL0qLwZRYb4yk_WJKizR0UA97XK3VedfZw73YgyTPHuOpxZQhQ@mail.gmail.com> <74a6fb5f7578452f9080cddb8ebbc8f5@bayviewphysicians.com> <adcc1359-6bb6-1237-2967-307b49557cf4@wisc.edu>
In-Reply-To: <adcc1359-6bb6-1237-2967-307b49557cf4@wisc.edu>
From: Joseph Brennan <brennan@columbia.edu>
Date: Thu, 23 Jul 2020 09:15:01 -0400
Message-ID: <CAMSGcLAyhV8UPwr7pO9ZASebefG4XdJS1rbBdfEoQW-xE2Wg5w@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
X-CU-OB: Yes
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-23_05:2020-07-23, 2020-07-23 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/uSAsWo7KLhgfJEzKlwNtfq-tZkE>
Subject: Re: [dmarc-ietf] Why are MUAs hiding or removing the From address?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 13:15:16 -0000

On Tue, Jul 21, 2020 at 5:45 PM Jesse Thompson
<jesse.thompson=40wisc.edu@dmarc.ietf.org> wrote:
>

> Specifically to address BEC we strip the friendly from (at our MTA gateways prior to ingestion to O365) conditionally (one example: from domains of free email providers) to force the MUA (Outlook and everything else) to show the From address.
>
> It works because now the victims just see "wisc.edu.provost32@gmail.com" instead of "Office of the Provost" and are more likely to consider the message hostile, less likely to click on the weird link, less likely to buy gift cards, and so on.
>

Briliant!  I wish we were still using Mimedefang. This wouldn't be
hard to code, and the results would be effective.


-- 
Joseph Brennan
Lead, Email and Systems Applications

v2.23.0 | Report a Bug | By Email