Re: dmarc damage, was gmail users read on... [bozo subtopic]

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Fri, Sep 12, 2014 at 09:27:42AM -0400, Theodore Ts'o wrote:

> But unfortunately, once the UI recognizes this case, would we not be
> imposing harm vis-a-vis phishing in particular?  And then DMARC Mark
> II (as it were) would have to prohibit the wrapping and require a wrap
> of a wrap, etc.
> 
> There's no way of winning this.  But if we are going to go down this
> path, it would be useful to discuss what the UI would look at that
> meets the needs of mailing lists, but without potential harm of
> phishing.

Right, there's no way to win against phishing with narrow technical
counter-measures.  Phishing is not an attack on vulnerable computer
systems that follow rigid rules, it is an attack on vulnerable
fuzzy human reasoning about the online world.  Narrow defenses like
DMARC don't deter the phishers, but do damage the email infrastructure.
Sometimes more harm is done by over-eager defenders, than by the
attackers.

The main effect of DMARC has been that 419 scammers now put the
Gmail, Yahoo, ... email address in "Reply-To:", rather than "From:".
Phishers also find other alternatives:

  Return-Path: <wanewviv@web116.brainhost.com>
  Received: from web116.brainhost.com (web116.brainhost.com [64.31.11.114])
	  (using unknown with cipher DHE-RSA-AES256-SHA (256/256 bits))
	  (No client certificate requested)
	  by amnesiac (Postfix) with ESMTPS id 278102AB02B
	  for <censored@example.org>; Thu, 11 Sep 2014 13:16:11 +0000 (UTC)
  To: censored@example.org
  Subject: Update You account PayPal
  From: trami zlal <PayPal@support.com>

This phisher did not even bother to use a plausible Display Name.
The pitch in the message payload is by far the most important
element of the attack, the machine-readable "metadata" we protect
is not nearly as significant.

-- 
	Viktor.