Re: [Shutup] [ietf-smtp] Proposed Charter for something

"Christian Huitema" <huitema@huitema.net> Thu, 10 December 2015 21:19 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: shutup@ietfa.amsl.com
Delivered-To: shutup@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C14EC1B2B98 for <shutup@ietfa.amsl.com>; Thu, 10 Dec 2015 13:19:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YfJmAf1z_4px for <shutup@ietfa.amsl.com>; Thu, 10 Dec 2015 13:19:33 -0800 (PST)
Received: from xsmtp02.mail2web.com (xsmtp02.mail2web.com [168.144.250.215]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42781B2B7A for <shutup@ietf.org>; Thu, 10 Dec 2015 13:19:27 -0800 (PST)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp02.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1a78cY-0002un-28 for shutup@ietf.org; Thu, 10 Dec 2015 16:19:26 -0500
Received: (qmail 1547 invoked from network); 10 Dec 2015 21:19:25 -0000
Received: from unknown (HELO huitema2) (Authenticated-user:_huitema@huitema.net@[131.107.147.15]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ietf@mustelids.ca>; 10 Dec 2015 21:19:25 -0000
From: "Christian Huitema" <huitema@huitema.net>
To: "'Chris Lewis'" <ietf@mustelids.ca>, "'John Levine'" <johnl@taugh.com>, <shutup@ietf.org>
References: <20151210144814.GA16386@lapsedordinary.net> <20151210151541.68326.qmail@ary.lan> <09ee01d1337b$64881950$2d984bf0$@huitema.net> <5669D42F.5050502@mustelids.ca>
In-Reply-To: <5669D42F.5050502@mustelids.ca>
Date: Thu, 10 Dec 2015 13:19:36 -0800
Message-ID: <0a5f01d13390$79625650$6c2702f0$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQD3chmnWPwuTgzkQ4BeVDxKF4q5EALGihlIAhgQPdECT1tQbqA+yZaQ
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/shutup/cAT0xCqE9xzkOlbQxobBd36WZTA>
Cc: martijn@lapsedordinary.net
Subject: Re: [Shutup] [ietf-smtp] Proposed Charter for something
X-BeenThere: shutup@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SMTP Headers Unhealthy To User Privacy <shutup.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/shutup>, <mailto:shutup-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/shutup/>
List-Post: <mailto:shutup@ietf.org>
List-Help: <mailto:shutup-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shutup>, <mailto:shutup-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 21:19:34 -0000

On  Thursday, December 10, 2015 11:36 AM, Chris Lewis wrote:
> On 12/10/2015 01:48 PM, Christian Huitema wrote:
> 
> > I am not sure I understand correctly, but it seems the reference to
> > phishing is in the context of "impersonated users." Bob receives a
> > mail that appears to come from "Alice@example.com." Everything
> > matches, SPF, DKIM, DMARC. So Bob actually believes the mail comes from
> Alice, and opens the attachment.
> > But the mail actually comes from the evil Eve, who somehow managed to
> > acquire Alice's password, and submitted the phishing message by
> > authenticating as Alice to Alice's MSA. In that context, if Bob's UA
> > notices that the submission IP comes from Upper Nowheristan instead of
> > the usual Mirrorland, Bob's UA could pop up a warning, or block the
> > message. Is that a correct summary of the concern?
> 
> If all of these in place world wide (ha!), it would still only apply to a
small
> percentage (generally <10%) of the phishing that tries to impersonate the
> email address completely.  Most phishes don't impersonate email addresses,
> just the "friendly" part of the From: line if that.

Yes of course. There are many types of attacks, the "mass market" scammers
use crude techniques, and they probably account for the biggest volumes. But
these are not the only ones that we care about. The more sophisticated
"spear phishing" attacks commonly include detailed reconnaissance of the
target and their relations, precisely of the type "hacking Alice to get to
Bob." I think that's what you refer to when you mention "CEO phishing."

We could argue that checking the origin IP is only one of the many possible
ways to harden mail systems against phishing, and that alternatives could be
just as efficient. Maybe. But first, I would like to be sure that we
understand the scenarios in which the origin IP address is used to prevent
phishing.

-- Christian Huitema