> I've been wondering about how email clients could change to make phishing less effective.
Ah, I remember way back when everyone had ideas on how to defeat spam and there was a "Why your anti-spam idea won't work" checklist that made the rounds (back to at least 2008 but I feel like it goes back at least a decade farther than that; if anyone has the history on that list I'd be interested in the earliest known use of it). Personally I believe this sort of thing is what BIMI is designed to solve, i.e. to provide an indication to end users whether a sender has undergone the rigorous verification and rewarding senders by showing an approved logo and/or checkmark in a special place to indicate that it's really from the company it claims to be from. Adoption has been slow on that front. I'm not sure reducing the fidelity of email clients and breaking the display of marketing's pixel-perfect design templates is going to get any traction. I asked AI to update the checklist for phishing and put a modern spin on it, included below for your enjoyment. Note that I mean this tongue-in-cheek for a bit of Friday afternoon fun, and not meant to be insulting. Anyway, here's the checklist as to "why your anti-phishing idea won't work": Dear Visionary, Thank you for your enthusiastic proposal to eliminate phishing once and for all. Before you file that patent, please check the boxes below to save yourself a few years of frustration: Implementation Reality [X] Requires universal adoption by all email users, servers, or companies worldwide. [ ] Depends on a global cryptographic infrastructure that everyone must configure correctly. [ ] Breaks backward compatibility with existing mail clients older than six months. [X] Requires cooperation from every mail provider, ISP, and government agency on Earth. [ ] Relies on DNSSEC, which (still) isn’t fully deployed anywhere you actually need it. [ ] Assumes the average user can understand or verify digital certificates. [ ] Assumes management will approve this and pay for it. Evasion and Adaptation [X] Phishers can trivially adapt by changing domains, templates, or compromised servers. [ ] Relies on blacklists, which phishers rotate through faster than your update cycle. [X] Can be defeated by simply compromising legitimate accounts instead. [X] Doesn’t account for look-alike domains, Unicode homographs, or open redirects. [X] Assumes phishers will not move to SMS, voice, or messaging apps instead. [ ] Blocks today’s phish perfectly, but misses tomorrow’s. Human Factors [ ] Assumes users will actually read warnings before clicking “Proceed Anyway.” [X] Depends on everyone being trained and remembering the training. [X] Assumes users will actually look at addresses/links before clicking on them (spoiler: they won’t). [ ] Breaks legitimate emails that “look kind of phishy” (i.e., all of them). [ ] Relies on users to report phishing instead of ignoring it or deleting it. [ ] Requires that marketing stop sending emails that look like phishing. Technical & Policy Gaps [ ] Conflicts with existing SPF, DKIM, or DMARC implementations. [ ] Requires perfect alignment of all email authentication records across the supply chain. [ ] Prevents phishing by breaking legitimate forwarding, mailing lists, or auto-responder flows. [X] Depends on major cloud providers to change behavior for free. [ ] Ignores privacy laws that prevent data sharing needed for detection. [ ] Assumes phishers can’t buy verified domains or pass KYC. [ ] Involves “AI detection” with no defined false-positive tolerance. Business & Ecosystem Obstacles [ ] Requires the cooperation of entities whose business model depends on sending look-alike messages. [ ] Would destroy affiliate marketing and thus the internet economy. [ ] Costs more to implement than the total global losses from phishing. [ ] Depends on replacing email, which has been “about to be replaced” since 1995. [X] Marketing and Business Development teams would riot in the streets if implemented. [ ] Makes customer support impossible because real humans now fail authentication. What I Think About You and Your Idea [ ] You’ve just reinvented S/MIME. [ ] You’ve just reinvented DKIM/DMARC. [ ] You’ve just reinvented SPF. [X] You’ve just reinvented “trusted sender” allow lists [i.e. looking at the sender address as a mental allow list]. [ ] You’ve just reinvented “AI that reads all your email.” [ ] You believe phishing is a technical problem rather than a human and economic one. [X] You think this hasn’t all been tried, tested, broken, and blogged about before. In summary: Your idea may reduce phishing slightly if widely adopted, correctly configured, and kept current — which means it won’t be. Thank you for your submission. Please collect your complimentary “Security Silver Bullet” sticker on the way out. Sincerely, The Internet
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
