On 6/4/14, 4:23 AM, Stephen J. Turnbull wrote: > Murray S. Kucherawy writes: > > > We didn't intend for this to be used by MUAs, however, so to some degree > > they're doing what we expected. > > I know, but I think it's time for the IETF to recognize that email > fraud cannot be fought if the receiving end of "end-to-end" doesn't go > all the way through the eyeballs, optic nerve, and into the wetware. > (Maybe we need an April 1 RFC for neural transport of IP packets > first?) Yes, the only way to truly fight phish is to at least somewhat standardize parts of how a MUA displays some stuff to the user.
There are some domains (like banks but NOT Yahoo and AOL) whose email is important to verify identity of sender, who should have some form of certificate that shows they have been verified by a trusted 3rd party (like Https certs). The 3rd party verification keeps phishers from using minor misspellings to fake these domains. For other domains, perhaps an SPF like method on a per mailbox basis (this could be used by Yahoo and the like). A person joins a mailing list, the list send a request to a mailbox indicated to get added as an authorized sender, (which then somehow verifies with the user). Receiver gets an email from an unspecified source, mark it as suspicious or block it totally. This would impact programs like mailman, as if the user domain uses such a protection, another step needs to be added to the subscription process to get the user authorized to send to the list. This should pretty much get rid of most phish type messages, except those sent by a user compromised machine, and that is something that the email standards really can't help with (how can you expect an email standard to distinguish between email from a program on my machine that I told it to send, and email from possibly the same program that some attacking program told it to send.) > > > I'm trying to figure out if that would be useful at all, but it > > sounds like MUAs are the showstopper there. > > I sure don't want to give up! Some huge fraction of users must use > GMail, Yahoo! mail, AOL, Hotmail, or Outlook for their MUAs. And that > should cover the vast majority of "Most Likely to Fall for a Phishing > Attack" users. Not that "vast majority" is anything to write home to > mother about, but it's a very good start. With Comcast and a couple > of others taking potshots at Yahoo!, I'd think the big ESPs are > probably ready to take MUA improvement seriously. (Starting with > protecting addressbooks, of course, but HCI stuff too I hope.) > > Where is Dave Hayes when we so desperately need his AI newsreader? > > Steve > -- Richard Damon _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
