Changed the subject line because this has nothing to do with failure reports.
> On 5 Jan 2021, at 20:04, Dave Crocker <dcroc...@gmail.com> wrote: > > On 1/5/2021 11:34 AM, Michael Thomas wrote: >> On 1/5/21 11:22 AM, Dave Crocker wrote: >>> From: header field rewriting demonstrates that DMARC is, indeed, trivial to >>> defeat (or rather, to route around.) Also, receiver filtering engines are >>> all that matter. Real-time actions by recipients are demonstrably >>> irrelevant to DMARC (and all other anti-abuse) utility. >>> >> That's not the conclusion of the paper that Doug Foster linked to the other >> day. > 1. I've looked back over his postings to this mailing list and am not finding > the link you refer to. Please post it (again). > Someone mentioned it was the article I shared a few months ago. If so it’s this one: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf <https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf> Note: a single study does not make any conclusion accurate. > 2. A single study is unlikely to be definitive about much of anything. > Absolutely true. Anyone relying on a single piece of evidence to prove their point is wrong. I am absolutely sure there is a bigger body of research out there and more data. In fact, I was at a conference in SF many years ago reporting a study done between a mailbox provider and a large sender of email. Their study showed quite definitively that visual indicators in email do not affect user behavior in any statistically meaningful way. > 3. Especially when it counters years of experience, including the Web EV > experiment > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate > <https://en.wikipedia.org/wiki/Extended_Validation_Certificate>Effectiveness > against phishing attacks with IE7 security UI >> >> In 2006, researchers at Stanford University >> <https://en.wikipedia.org/wiki/Stanford_University> and Microsoft Research >> <https://en.wikipedia.org/wiki/Microsoft_Research> conducted a usability >> study[21] >> <https://en.wikipedia.org/wiki/Extended_Validation_Certificate#cite_note-21> >> of the EV display in Internet Explorer 7 >> <https://en.wikipedia.org/wiki/Internet_Explorer_7>. Their paper concluded >> that "participants who received no training in browser security features did >> not notice the extended validation indicator and did not outperform the >> control group", whereas "participants who were asked to read the Internet >> Explorer help file were more likely to classify both real and fake sites as >> legitimate". And that’s with the Extended Validation Certificate which required extensive checks by the certification authority. In email anyone can ‘certify’ their mail with DMARC. Bad actors can trivially get a DMARC pass if they control the mail. If we start saying ‘bypass DMARC by rewriting the From: address’ to legitimate mailers then every bad actor on the planet is going to do the same thing. Header rewriting is a poor solution to the problem of indirect mail flows. >> When I first came back and saw the From rewriting I was very confused by >> what it was until I figured out what was going on. > You think you are representative of end users? Try again. > I think he’s representative of one kind of enduser. He’s getting a trust indicator in email (DMARC fails) and doesn’t understand what that indicator means or implies. When I shared the relevant piece of the DMARC spec causing the DMARC failure he told me that was ‘all gobbledygook’ and that alignment wasn’t even part of DMARC. I think this is exactly one of the types of responses we can expect from end users. laura -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc