As an individual: On Tue, Jun 2, 2020 at 1:46 PM Dave Crocker <dcroc...@gmail.com> wrote:
> However there appears to be no actual evidence that lying in the From > field affects end user behaviors, and certainly none that lying in the From > field about the domain name does. > There are decades of data that prove just this. On the abuse side, Microsoft, Google, Proofpoint, Mimecast, and others (including Valimail) have all published reams of research reports over the years. On the marketing side, there's another decade or two of data about how properly crafting the From materially impacts open rates on messages, which means user behavior is certainly impacted by what's in the From and display name. There's more data here than can be meaningfully summarized. So to pick one at random about usage of these methods in abuse, read page 11 of this report: https://www.proofpoint.com/sites/default/files/pfpt-us-tr-q117-threat-report.pdf And on the marketing side, after a 2 second google search, here's some A/B testing: https://blog.influenceandco.com/how-to-optimize-your-email-open-rate-with-friendly-froms I suppose it's possible that operators came up with this problem and > decided it needs solving, with no user complaints like "I was fooled by > this fake From, can't you do something about that?" on which to base that. > > Exactly. > The history of DMARC is the exact opposite. There was a mountain of phish impersonating well known companies that was defrauding consumers to the tune of hundreds of millions of dollars, and the companies involved got together and asked the major mailbox providers to work with them to determine the appropriate signals needed to prevent the phishing using their domains. DMARC is the result of a multi-year comprehensive data investigation here. > Hasn't M3AAWG at least had something other than anecdata that this is a > true source of pain? > > No. > > As I mentioned in the previous note, there was a literature survey done at > the start of the BIMI work, and it produced no evidence to support claims > of improved end user behavior. > > The canonical example of this issue was the EV web domain name exercise. > Trust indicators that require users take appropriate action are doomed to fail, and as you mentioned the data concurs. See your EV example and the reason that padlock icons are going away. But the flipside is not true. What users see can certainly trick them into doing the wrong thing, especially if they believe they're doing the right thing, and especially if a wide net is cast. This is why CEO-CFO and gift card scams are so prevalent and effective. Again, grabbing a random example from another 2 second google search, a few years ago the FBI said this type of scam resulted in $2.3 billion worth of damages: https://www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-warns-of-dramatic-increase-in-business-e-mail-scams Or: https://ottawa.ctvnews.ca/city-treasurer-sends-128-000-to-fraudsters-in-email-phishing-scam-1.4370829 (although it's unclear if DMARC would have solved this attack, the point is that the treasurer thought it was from the mayor). M3AAWG has shared mountains of data that DMARC solves a materially significant problem, and this has been presented on again and again and again. Governments are increasingly mandating it, and more industry organizations are requiring it for all members. This is a source of real pain which goes far beyond anecdotes. Seth (hatless, and trying to understand your comments)
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
