On 6/2/2020 1:36 PM, Murray S. Kucherawy wrote:
On Tue, Jun 2, 2020 at 11:01 AM Dave Crocker <dcroc...@gmail.com
<mailto:dcroc...@gmail.com>> wrote:
Your comment implies that what is displayed to the user is
important in
anti-abuse efforts, but there is no data to support that view, and
some
significant data to support the view that that's wrong. (cf, the
extensive literature review that was done during early BIMI
discussions.)
That's a curious assertion given all of the energy that's gone into
complaining about but never really resolving the "display name"
problem over the years. I thought that was a key part of the vector
of many successful phishing attacks.
In the world of Internet protocol standards, there is a common problem
in discussing anything involving users, failing to distinguish between
the mathematics of abuse from the actual effects. That is, if I lie
about the author, that's abuse in an absolute sense. But that can be
quite different from whether that lie has any effect on the recipient.
So, yes, lots of people have been upset constantly over the years about
all sorts of abusive behaviors. However there appears to be no actual
evidence that lying in the From field affects end user behaviors, and
certainly none that lying in the From field about the domain name does.
And since my notes on this thread seem to be having a difficult time
being understood, I'll stress that my reference is specifically to
end-user behavior. There other abuse factors, separate from that, which
DMARC apparently correlates usefully with, which is why it apparently
really is useful to the filtering engine. But not the recipient user.
I suppose it's possible that operators came up with this problem and
decided it needs solving, with no user complaints like "I was fooled
by this fake From, can't you do something about that?" on which to
base that.
Exactly.
Hasn't M3AAWG at least had something other than anecdata that this is
a true source of pain?
No.
As I mentioned in the previous note, there was a literature survey done
at the start of the BIMI work, and it produced no evidence to support
claims of improved end user behavior.
The canonical example of this issue was the EV web domain name exercise.
DMARC is a triumph of infrastructure operator demands over end-user
experience. it's created a markedly Procrustean email identification
environment.
The standards and the practice, for 45 years, have permitted certain
freedoms in the From: field and DMARC eliminated them.
It's easy to be cavalier about this, since some operators run highly
controlled environments and have no incentives for paying
attention to
those who have used those freedoms legitimately, for 45 years.
No reply here, just felt like citing this again.
ditto.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc