IETF Logo Mail Archive

Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)

Matt Simerson <matt@tnpi.net> Mon, 08 July 2013 02:25 UTC

Return-Path: <matt@tnpi.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3F6C21F9C0A for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 19:25:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5ivGtf7UA7S for <dmarc@ietfa.amsl.com>; Sun, 7 Jul 2013 19:25:17 -0700 (PDT)
Received: from mail.theartfarm.com (mail.theartfarm.com [208.75.177.101]) by ietfa.amsl.com (Postfix) with ESMTP id 2A3CC21F9BF9 for <dmarc@ietf.org>; Sun, 7 Jul 2013 19:25:16 -0700 (PDT)
Received: (qmail 72956 invoked by uid 1026); 8 Jul 2013 02:25:15 -0000
Received: from c-76-121-98-64.hsd1.wa.comcast.net (HELO [10.0.1.32]) (76.121.98.64) by mail.theartfarm.com (qpsmtpd/0.93) with (AES128-SHA encrypted) ESMTPSA; Sun, 07 Jul 2013 22:25:15 -0400
Authentication-Results: mail.theartfarm.com; auth=pass (plain) smtp.auth=matt@theartfarm.com; iprev=pass
X-Virus-Checked: by ClamAV 0.97.8 on mail.theartfarm.com
X-Virus-Found: No
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tnpi.net; h=content-type:mime-version:subject:from:in-reply-to:date:cc:content-transfer-encoding:message-id:references:to; s=mar2013; bh=37AKylXWj2C0NW8NhXbEFC+ELs2hofJ49br4JGiADKE=; b=yDXQfimpE9WgNiVhS1zJWIFuw3YIvlUF6M5NYBzzHqB//eUasXrkIaP0IQM9xLBW+OGU0P6BT4Mj8jA/vk7tU3PWJlR73ec/Gw4YOviPvZKMIep8rmKAe4Iwu8yy6HqfYgWwVqMoIlk/I1OqVXDXKxlS34Z8Bc12WZjjUNehs3EWNpz86lHjQus23M6KxEUDOX1x7J9QjgNHPoaYBlnwY26BclX1puDzMZHku767gKKi018ewrIijcfDdLSXKv/wlWterXAthIesZRC+bSNTwNurf4ix0xldFaOpIr3Y0veHYK1TIEXnmaJMU1t9E2iO6LHZUAHqesUJu2Zw2fKSfA==
X-HELO: [10.0.1.32]
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Matt Simerson <matt@tnpi.net>
In-Reply-To: <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com>
Date: Sun, 07 Jul 2013 19:25:14 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <D9CB0D71-453D-48BC-8049-0A89B6CC6394@tnpi.net>
References: <519B47DC.20008@cisco.com> <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com> <6.2.5.6.2.20130523002139.0da7ac58@resistor.net> <CAL0qLwYT6BS=HGLX1-u80aqaJWefipT5tcg5Ut_549y4rOej9g@mail.gmail.com> <51D858EB.3030202@gmail.com> <CAL0qLwZAVH=bK=jZKuk4ZkcELSXQ0SB5_WoHKETTZwo5f43Qtw@mail.gmail.com> <CAL0qLwb-m7BEBQ7snR4zQqMWu0H17P-+aOaxb=4t8pY58dXGRw@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: Dave Crocker <dcrocker@gmail.com>, SM <sm@resistor.net>, "dmarc@ietf.org" <dmarc@ietf.org>, Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] cousin domain definition (was Re: Fwd: Eliot's review of the DMARC spec)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2013 02:25:22 -0000

On Jul 7, 2013, at 12:25 AM, "Murray S. Kucherawy" <superuser@gmail.com> wrote:

> How's this, if you'll pardon the XML?
> 
>                     <t hangText="Cousin Domain:"> A registered domain name that   
>                         is deceptively similar to a target name, which can be a   
>                         domain name or the name of a known entity.  The entity target
>                         name is familiar to many end-users, and therefore 
>                         imparts a degree of trust.  The deceptive similarity can  
>                         trick the user by embedding the essential parts of the    
>                         target entity name in a new string (e.g., 
>                         "companysecurity.example" to attack "company.example"),  
>                         or it can use some variant of the target entity name, such as    
>                         replacing 'i' with '1'.  This latter form is sometimes    
>                         known as a "homograph attack".  </t>                      

I simplified the description by removing the 'target' abstraction. There are legitimate purposes for cousin domains, such as helping poor spellers and heading off typosquatting. 

I don't think the distinction of end-users is helpful. It implies that some class of users are not susceptible to cousin domain attacks. There's ample evidence that is not the case. 

Matt

v2.23.0 | Report a Bug | By Email