Also, from literally today: https://www.justice.gov/usao-sdtx/pr/man-admits-spoof-email-fraud-scheme-and-more
On Tue, Jun 2, 2020 at 2:30 PM Seth Blank <s...@valimail.com> wrote: > As an individual: > > On Tue, Jun 2, 2020 at 1:46 PM Dave Crocker <dcroc...@gmail.com> wrote: > >> However there appears to be no actual evidence that lying in the From >> field affects end user behaviors, and certainly none that lying in the From >> field about the domain name does. >> > > There are decades of data that prove just this. On the abuse side, > Microsoft, Google, Proofpoint, Mimecast, and others (including Valimail) > have all published reams of research reports over the years. On the > marketing side, there's another decade or two of data about how properly > crafting the From materially impacts open rates on messages, which means > user behavior is certainly impacted by what's in the From and display name. > > There's more data here than can be meaningfully summarized. So to pick one > at random about usage of these methods in abuse, read page 11 of this > report: > https://www.proofpoint.com/sites/default/files/pfpt-us-tr-q117-threat-report.pdf > > And on the marketing side, after a 2 second google search, here's some A/B > testing: > https://blog.influenceandco.com/how-to-optimize-your-email-open-rate-with-friendly-froms > > I suppose it's possible that operators came up with this problem and >> decided it needs solving, with no user complaints like "I was fooled by >> this fake From, can't you do something about that?" on which to base that. >> >> Exactly. >> > > The history of DMARC is the exact opposite. There was a mountain of phish > impersonating well known companies that was defrauding consumers to the > tune of hundreds of millions of dollars, and the companies involved got > together and asked the major mailbox providers to work with them to > determine the appropriate signals needed to prevent the phishing using > their domains. DMARC is the result of a multi-year comprehensive data > investigation here. > > >> Hasn't M3AAWG at least had something other than anecdata that this is a >> true source of pain? >> >> No. >> >> As I mentioned in the previous note, there was a literature survey done >> at the start of the BIMI work, and it produced no evidence to support >> claims of improved end user behavior. >> >> The canonical example of this issue was the EV web domain name exercise. >> > > Trust indicators that require users take appropriate action are doomed to > fail, and as you mentioned the data concurs. See your EV example and the > reason that padlock icons are going away. > > But the flipside is not true. What users see can certainly trick them into > doing the wrong thing, especially if they believe they're doing the right > thing, and especially if a wide net is cast. This is why CEO-CFO and gift > card scams are so prevalent and effective. Again, grabbing a random example > from another 2 second google search, a few years ago the FBI said this type > of scam resulted in $2.3 billion worth of damages: > https://www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-warns-of-dramatic-increase-in-business-e-mail-scams > > Or: > https://ottawa.ctvnews.ca/city-treasurer-sends-128-000-to-fraudsters-in-email-phishing-scam-1.4370829 > (although it's unclear if DMARC would have solved this attack, the point is > that the treasurer thought it was from the mayor). > > M3AAWG has shared mountains of data that DMARC solves a materially > significant problem, and this has been presented on again and again and > again. Governments are increasingly mandating it, and more industry > organizations are requiring it for all members. This is a source of real > pain which goes far beyond anecdotes. > > Seth (hatless, and trying to understand your comments) > >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
