[display-names] Initial Thoughts on Display Name Defenses

J. Trent Adams jtrentadams at gmail.com
Wed Mar 27 11:58:19 PDT 2013 

Mike -

Interesting idea.

I wonder how we could tackle usability questions around the idea. For
example, I wonder how many people actively maintain address books to the
point where this would be useful. I know that I don't (but probably should).

Another question to explore might be how to handle first-time contacts.
Many of us use email addresses that are pretty close to our real names,
but that's no always the case. Until his address is added, email from
legendary comic book creator Jerry Seigel might show up as
"mxyzptlk at earthlink.net"... which I'm not sure is a great user experience.

>From a more philosophical level, are we more likely to achieve success
by relying on mailbox receivers or users making the right decision about
what is legitimate vs. fraudulent mail? I really wish that users were
more reliable.

- Trent


On 3/27/13 12:18 PM, Michael Adkins wrote:
> I would rather work on a broader solution than just addresses in the
> display name.
>
> Monica suggested something a while back that I think has potential.
> Basically, don't show the display name unless the From: address is in the
> user's address book.  Prior to DMARC, this wouldn't have been as valuable,
> but now that we can prevent phishers from using the exact addresses that
> we legitimately use this becomes a pretty good option to explore.
>
> On 3/27/13 10:13 AM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:
>
>> Murray - Thanks for setting up this list.
>>
>> Display Name Defenders -
>>
>> As we know, defending against domain name abuse is a tricky subject.
>> It's clear that it's permissible under RFC5322 to allow arbitrary text
>> to be included in the "display-name" part of the "From" field.  So it's
>> possible (and even reasonable) to send a message like:
>>
>> -----
>> | To: "Jane Smith" <jane.smith at emailaddress.com>
>> | From: "Customer Service @Company.com" <customer.service at company.com>
>> -----
>>
>> Unfortunately, this also means there's nothing to stop someone from
>> sending a message like:
>>
>> -----
>> | To: "John Doe" <john.doe at emailaddress.com>
>> | From: "legitimate at brand.com" <attacker at spoofer.com>
>> -----
>>
>> Many email clients will happily display "legitimate at brand.com" as the
>> sender, while hiding the "address-spec" part of the "From" field.  The
>> result is that John Doe can be forgiven for thinking that the mail is
>> legitimate.
>>
>> Spoofed messages like this will look even more legitimate to the
>> receiver if the attacker sets up an SPF record, signs the mail using
>> DKIM, and publishes a DMARC record (assuming alignment with the
>> "spoofer.com" domain).
>>
>> I would like to explore if it would be reasonable to consider a means by
>> which the display-name part of the From field appears to include what
>> looks like an email address.  If so, there will be value comparing it
>> (even if only the registered domain name) to the address in the
>> address-spec part.  If they are not equal, the mail could be treated as
>> (highly) suspect, if not rejected outright.
>>
>> I'm aware that there are a number of ways by which a determined attacker
>> could try to fool such a system (eg. using left-to-right overrides).
>> But setting that aside, and before we get too far ahead of ourselves
>> dreaming up solutions, I'd like to see if we could build a data-driven
>> analysis of usage patterns in the wild.
>>
>> For example, those who have access to a large corpus of mail could
>> potentially mine their data to see how often a rudimentary RegEx turns
>> up an email address in the display-name that doesn't match the one in
>> the address-spec.  Then, by evaluating those, we may be able to
>> determine how often such a case represents legitimate mail.  My
>> hypothesis is that the number of legitimate cases like this will be very
>> small, likely along the lines of:
>>
>> -----
>> | To: "Bill Jones" <bill.jones at emailaddress.com>
>> | From: "surveys at company.com" <company.surveys at marketing.com>
>> -----
>>
>> Once we have the data, though, we can build an understanding of how the
>> practice is used.  With that we can begin to consider possible solutions.
>>
>> Anyway, soes this approach sound like a reasonable path forward to begin
>> to wade into the waters?
>>
>> - Trent
>>
>> -- 
>> J. Trent Adams
>>
>> Profile: http://www.mediaslate.org/jtrentadams/
>> LinkedIN: http://www.linkedin.com/in/jtrentadams
>> Twitter: http://twitter.com/jtrentadams
>>
>>
>> _______________________________________________
>> display-names mailing list
>> display-names at trusteddomain.org
>> http://www.trusteddomain.org/mailman/listinfo/display-names

-- 
J. Trent Adams

Profile: http://www.mediaslate.org/jtrentadams/
LinkedIN: http://www.linkedin.com/in/jtrentadams
Twitter: http://twitter.com/jtrentadams

More information about the display-names mailing list