On Sat, Jun 7, 2014 at 3:57 PM, John Levine via dmarc-discuss <dmarc-discuss@dmarc.org> wrote: >>A claim that attackers will use work-arounds creates a desire for >>measuring use of work-arounds... > > Here's an anecdote: I've been getting a fair amount of spam from what > are obviously stolen AOL address books, since I recognize the sender > and the other recipients. Now I'm getting the same spam, but the > From: line has her name as the comment, same as always, but some > random non-AOL address. > > I suppose that suggests that DMARC may have been somewhat effective at > stopping the phish using the exact address, so they're doing what lists > do, munge the address to hide it from DMARC.
Not sure what you're looking for here. I know that when I look at it, I see that more and more mail is signed; thus applying a stable identifier to attach reputation to. In this case, bad reputation, because the mail is spam or phish and likely to be reported as such. So you have 1. Bad guy can't use AOL.com 2. Bad guy forced to use some other domain 3. If some other domain is signed, reputation of that domain goes down quickly 4. If some other domain not signed, receivers likely to examine that mail more closely/treat it as more likely to be suspect to begin with, maybe? I'm still back to, If I was aol.com, I'd still want the bad guys off of aol.com. I also think it's a bit simplistic to assume that there's nothing else in that message that might have made it filterable. DBL'd domain? CBL'd IP? (My point being....every single one of these efforts catches some spam, not all spam.) Is your perspective, this is all a lost battle to begin with and thus nobody should use DMARC in that scenario? I'm not assuming; I'm asking. What do you want to have happen? Regards, Al Iverson _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
