On Tue, Jun 2, 2020 at 5:31 PM Seth Blank <seth= 40valimail....@dmarc.ietf.org> wrote:
> As an individual: > > On Tue, Jun 2, 2020 at 1:46 PM Dave Crocker <dcroc...@gmail.com> wrote: > >> However there appears to be no actual evidence that lying in the From >> field affects end user behaviors, and certainly none that lying in the From >> field about the domain name does. >> > > There are decades of data that prove just this. On the abuse side, > Microsoft, Google, Proofpoint, Mimecast, and others (including Valimail) > have all published reams of research reports over the years. On the > marketing side, there's another decade or two of data about how properly > crafting the From materially impacts open rates on messages, which means > user behavior is certainly impacted by what's in the From and display name. > > There's more data here than can be meaningfully summarized. So to pick one > at random about usage of these methods in abuse, read page 11 of this > report: > https://www.proofpoint.com/sites/default/files/pfpt-us-tr-q117-threat-report.pdf > > And on the marketing side, after a 2 second google search, here's some A/B > testing: > https://blog.influenceandco..com/how-to-optimize-your-email-open-rate-with-friendly-froms > <https://blog.influenceandco.com/how-to-optimize-your-email-open-rate-with-friendly-froms> > > I suppose it's possible that operators came up with this problem and >> decided it needs solving, with no user complaints like "I was fooled by >> this fake From, can't you do something about that?" on which to base that. >> >> Exactly. >> > > The history of DMARC is the exact opposite. There was a mountain of phish > impersonating well known companies that was defrauding consumers to the > tune of hundreds of millions of dollars, and the companies involved got > together and asked the major mailbox providers to work with them to > determine the appropriate signals needed to prevent the phishing using > their domains. DMARC is the result of a multi-year comprehensive data > investigation here. > > Actually Seth, you are flat out wrong. I was there and part of it. It was not about signaling. It was implemented at the MTA level and was about preventing the "badness" from reaching the end user rather than signaling to the end user. Google experimented with displaying "keys" and Microsoft experimented with displaying "shields". Neither of those efforts were integral to the DMARC effort. My own experience is that a significant percentage of end users will click on just about anything. This was validated in the 2007 timeframe during some phishing runs where the bad guys actually left some tracking code on a fake WWW landing page the email links led to. It was also validated during the Storm Worm when the links used IP Addresses. This issue has been validated at other points and times. Individual sending organizations and receiving domains have been generally reluctant to release data because it might expose company confidential information. Aggregated isn't so useful because there are significant variations in company efforts - not just with DMARC - that impact outcomes. So far, signaling to the end user doesn't have a particularly good track record. DMARC started as a private effort among a handful of private parties. when it was successful in stopping direct domain abuse for a handful of sending domains at a handful of receivers we started discussing whether the approach could be codified as a standard to enable others to benefit from the approach. The origins and history are important in understanding why DMARC is what it is. Michael Hammer >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc