Re: [Shutup] [ietf-smtp] Proposed Charter for something
Chris Lewis <ietf@mustelids.ca> Thu, 10 December 2015 19:36 UTC
Return-Path: <ietf@mustelids.ca>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92E671AD366 for <shutup@ietfa.amsl.com>; Thu, 10 Dec 2015 11:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.043
X-Spam-Level: ***
X-Spam-Status: No, score=3.043 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_RELAY_NODNS=1.451, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNEn0PaNMq43 for <shutup@ietfa.amsl.com>; Thu, 10 Dec 2015 11:36:24 -0800 (PST)
Received: from stoat.mustelids.ca (unknown [174.35.246.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8615F1AD289 for <shutup@ietf.org>; Thu, 10 Dec 2015 11:36:24 -0800 (PST)
Received: from [192.168.0.6] (badger.mustelids.ca [192.168.0.6]) (authenticated bits=0) by stoat.mustelids.ca (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id tBAJaFNd013774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 10 Dec 2015 14:36:16 -0500
To: Christian Huitema <huitema@huitema.net>, 'John Levine' <johnl@taugh.com>, shutup@ietf.org
References: <20151210144814.GA16386@lapsedordinary.net> <20151210151541.68326.qmail@ary.lan> <09ee01d1337b$64881950$2d984bf0$@huitema.net>
From: Chris Lewis <ietf@mustelids.ca>
X-Enigmail-Draft-Status: N1110
Message-ID: <5669D42F.5050502@mustelids.ca>
Date: Thu, 10 Dec 2015 14:36:15 -0500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
In-Reply-To: <09ee01d1337b$64881950$2d984bf0$@huitema.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/FsHgAQKqG5QZ9mfSidMIV1-LDCw>
Cc: martijn@lapsedordinary.net
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for something
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 19:36:25 -0000
On 12/10/2015 01:48 PM, Christian Huitema wrote: > I am not sure I understand correctly, but it seems the reference to phishing > is in the context of "impersonated users." Bob receives a mail that appears > to come from "Alice@example.com." Everything matches, SPF, DKIM, DMARC. So > Bob actually believes the mail comes from Alice, and opens the attachment. > But the mail actually comes from the evil Eve, who somehow managed to > acquire Alice's password, and submitted the phishing message by > authenticating as Alice to Alice's MSA. In that context, if Bob's UA notices > that the submission IP comes from Upper Nowheristan instead of the usual > Mirrorland, Bob's UA could pop up a warning, or block the message. Is that a > correct summary of the concern? If all of these in place world wide (ha!), it would still only apply to a small percentage (generally <10%) of the phishing that tries to impersonate the email address completely. Most phishes don't impersonate email addresses, just the "friendly" part of the From: line if that. How does SPF/DKIM/DMARC help you with? Subject: Alert! Your American Express card has been compromised! From: "AmericanExpress Accounts" <frazzum@razzum.bar> [Especially if razzum.bar's DMARC lines up] Right now the highest volume spam of all is blind-recipient spoofing on behalf of various (for the most part non-finance) companies, and the headers are all brand-specific and consistent - except for the DKIM-useful header bits which are just plain random. And infects you (with Dyre/Dridex) if you fall for it - just like phishing, but infection not identity/account being the payload. The lack of a unique id of some kind (relatively static in terms of spam burst durations), forces the ML (or less sophisticated filter) to treat all of the output of a given domain (or MTA) as equal, and it cannot use originator distinction to "help" the content filtering. Which, as we well know, is extraordinarily difficult in the case of 419 and essentially impossible in the case of CEO phishing.
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Dave Crocker
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… John C Klensin
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… John Levine
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Richard Clayton
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Martijn Grooten
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Steve Atkins
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Richard Clayton
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Hector Santos
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Christian Huitema
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Chris Lewis
- Re: [Shutup] [ietf-smtp] Proposed Charter for som… Christian Huitema