On 12/10/2015 01:48 PM, Christian Huitema wrote:
I am not sure I understand correctly, but it seems the reference to phishing
is in the context of "impersonated users." Bob receives a mail that appears
to come from "[email protected]." Everything matches, SPF, DKIM, DMARC. So
Bob actually believes the mail comes from Alice, and opens the attachment.
But the mail actually comes from the evil Eve, who somehow managed to
acquire Alice's password, and submitted the phishing message by
authenticating as Alice to Alice's MSA. In that context, if Bob's UA notices
that the submission IP comes from Upper Nowheristan instead of the usual
Mirrorland, Bob's UA could pop up a warning, or block the message. Is that a
correct summary of the concern?
If all of these in place world wide (ha!), it would still only apply to
a small percentage (generally <10%) of the phishing that tries to
impersonate the email address completely. Most phishes don't
impersonate email addresses, just the "friendly" part of the From: line
if that.
How does SPF/DKIM/DMARC help you with?
Subject: Alert! Your American Express card has been compromised!
From: "AmericanExpress Accounts" <[email protected]>
[Especially if razzum.bar's DMARC lines up]
Right now the highest volume spam of all is blind-recipient spoofing on
behalf of various (for the most part non-finance) companies, and the
headers are all brand-specific and consistent - except for the
DKIM-useful header bits which are just plain random. And infects you
(with Dyre/Dridex) if you fall for it - just like phishing, but
infection not identity/account being the payload.
The lack of a unique id of some kind (relatively static in terms of spam
burst durations), forces the ML (or less sophisticated filter) to treat
all of the output of a given domain (or MTA) as equal, and it cannot use
originator distinction to "help" the content filtering. Which, as we
well know, is extraordinarily difficult in the case of 419 and
essentially impossible in the case of CEO phishing.
_______________________________________________
Shutup mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/shutup
