[MORG] New IMAP keyword registration proposal: $Phishing

Robert Mueller <robm@fastmail.fm> Sun, 26 March 2017 10:45 UTC

Return-Path: <robm@fastmail.fm>
X-Original-To: morg@ietfa.amsl.com
Delivered-To: morg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12F4612952D for <morg@ietfa.amsl.com>; Sun, 26 Mar 2017 03:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=XoEZSQ1d; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=SNkorFJg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQPWCaMazUJm for <morg@ietfa.amsl.com>; Sun, 26 Mar 2017 03:45:10 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4752B12422F for <morg@ietf.org>; Sun, 26 Mar 2017 03:45:10 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 8A86920AF8; Sun, 26 Mar 2017 06:45:09 -0400 (EDT)
Received: from web3 ([10.202.2.213]) by compute7.internal (MEProxy); Sun, 26 Mar 2017 06:45:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; bh=TT4eDP+R0RxhwYkr+Lkid2XC6brW08FnqJ+SCk2BCLI=; b=XoEZSQ1d OHC25x57FXJaGDPmAwIhvL25rte0AlUnGQkV3XXS3oH65JO45B396gQtwuwv4Kr0 T70QYq1u1E6GO+wXnRBbxOEbZkta3Qvo2pewEURQzBrinpm5PEkTHu/siTPS+58u AogVGeNOaG064SNQNsO5VMh8byR7gDZ/MJkAAdnPsJSyhU2IXJpAx5lJqlbDr/MV Ve3YQWUliEAMo3OCb4qzya74C2GdvyjokYrxvswxuW92zmij+QE8mF+7YnrLir7q nX7gP7A8Zj1GIcwsCioytCYANGiqaBhdfSs2S1vhJ4p2YCy9RyDe2m2S6mko3Sr/ IhYKhKk9UISo2A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=TT4eDP+R0RxhwYkr+Lkid2XC6brW0 8FnqJ+SCk2BCLI=; b=SNkorFJgh7n6Gdt8paIGfhk/ks7+eP6a3v2LFA9DUVCx7 LaDdn2sWCVZdj7y+TrQWej8US9sjF8/3hDiDkKy5h5rLHkaS5//05gQI0+J7qLZF cdcBuK/VPTGBo8c92M9PyZsNhl81Bkso9Qiy0hU5K9qIn1Irp8HdpkN8IcMYGxms i/l6UjaHjUSAgl1Judmg5z/9ZNRQ7IymvMI0j3PSadERFAbmbeRYqkw/OpB6WKkh 9i3KFAOR3Wcaf6n2dsJ9Du7x+BzGY5ruwaSrSNIMeuMjiFVAZU5bGhKgFc4W15wE xirCTBi5A7RVc2hr2tgTNbgk0PwL59dMkKKUbYHnQ==
X-ME-Sender: <xms:tZvXWMznnT65gQ-QtXth6d-XDyfVQE1p0z90AqPftQH9R5tb8GAIYw>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 5D20C9EA7F; Sun, 26 Mar 2017 06:45:09 -0400 (EDT)
Message-Id: <1490525109.4015337.923700488.22F85FDF@webmail.messagingengine.com>
From: Robert Mueller <robm@fastmail.fm>
To: morg@ietf.org
Cc: iana@iana.org, Alexey Melnikov <aamelnikov@fastmail.fm>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-dcf84519
Date: Sun, 26 Mar 2017 21:45:09 +1100
Archived-At: <https://mailarchive.ietf.org/arch/msg/morg/65YV6545FTw2PaA_1ytVFhA2H-Q>
Subject: [MORG] New IMAP keyword registration proposal: $Phishing
X-BeenThere: morg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Messaging Organization <morg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/morg>, <mailto:morg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/morg/>
List-Post: <mailto:morg@ietf.org>
List-Help: <mailto:morg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/morg>, <mailto:morg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2017 10:45:12 -0000

IMAP keyword name:
$Phishing

Purpose (description):
Phishing emails are a particularly pernicious problem and
unfortunately many users are tricked by them into revealing
private passwords and other personal information. Many delivery
agents may be able to detect emails as likely phishing emails
either at delivery time or shortly afterwards, but moving them
to the users spam/junk folder or marking them as $Junk may not
be enough. If they look legitimate enough, users may think they
were incorrectly identified as junk and still click on the links
in them believing that they are legitimate and the marking as
junk was a false positive error.

The $Phishing keyword can be used by a delivery agent to mark a
message as highly likely to be a phishing email. If this is the
case, the user agent should display an additional warning message
to the user alerting them that this email seems suspicious
and may be trying to trick them into giving away personal
information. Additionally the user agent may display a warning
when clicking on any hyperlinks within the message.

In general an email that’s determined to be a phishing email
by the delivery agent should also be considered a junk email
and have the appropriate junk filtering applied as well (e.g.
setting the $Junk flag or placing in the \Junk special-use
mailbox.

Private or Shared on a server:
SHARED (see Note 1)

Is it an advisory keyword or may it cause an automatic action:
This keyword is advisory.

When/by whom the keyword is set/cleared:
$Phishing will mostly be set by a delivery agent. A mail
client may set the flag if it supports a “Report phishing” type
action. If a user marks a message as not junk, the $Phishing
flag should also be removed.

Related keywords:
$Junk and $NotJunk

Related IMAP capabilities:
RFC6154 IMAP LIST Extension for Special-Use Mailboxes

Security considerations:
False positive detection of a phishing email by a delivery agent
is always possible so user agents should never fully stop users
being able to view a message or click through on links in the
message.

Published specification (recommended):

Person & email address to contact for further information:
Rob Mueller <robm@fastmail.com>;

Intended usage: COMMON

Owner/Change controller: IESG

1). Unlike junk where people may have different ideas of
what email might be considered junk or not junk, and as
it’s expected that mostly delivery agents will set this
flag, this should be a shared flag.

-- 
Rob Mueller
robm@fastmail.fm