[display-names] Initial Thoughts on Display Name Defenses

Wed Mar 27 12:08:31 PDT 2013

Users don't have to actively maintain them, they are updated
automatically.  Last time I checked, when I worked at AOL, most legitimate
email matched the user's address book.  At Facebook, most legitimate
inbound email is either from an address that belongs to a connected
Facebook account, from an address in one of the recipient's imported
address books, or from an address that the recipient has recently replied
to (which would add them to the address book).  It's easy enough to cover
the high value remainder with domain reputation based whitelisting, such
as based on the percentage of email from a given bulk or transactional
domain that does match the recipient's address book.

On 3/27/13 11:58 AM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:

>
>Mike -
>
>Interesting idea.
>
>I wonder how we could tackle usability questions around the idea. For
>example, I wonder how many people actively maintain address books to the
>point where this would be useful. I know that I don't (but probably
>should).
>
>Another question to explore might be how to handle first-time contacts.
>Many of us use email addresses that are pretty close to our real names,
>but that's no always the case. Until his address is added, email from
>legendary comic book creator Jerry Seigel might show up as
>"mxyzptlk at earthlink.net"... which I'm not sure is a great user experience.
>
>From a more philosophical level, are we more likely to achieve success
>by relying on mailbox receivers or users making the right decision about
>what is legitimate vs. fraudulent mail? I really wish that users were
>more reliable.
>
>- Trent
>
>
>On 3/27/13 12:18 PM, Michael Adkins wrote:
>> I would rather work on a broader solution than just addresses in the
>> display name.
>>
>> Monica suggested something a while back that I think has potential.
>> Basically, don't show the display name unless the From: address is in
>>the
>> user's address book.  Prior to DMARC, this wouldn't have been as
>>valuable,
>> but now that we can prevent phishers from using the exact addresses that
>> we legitimately use this becomes a pretty good option to explore.
>>
>> On 3/27/13 10:13 AM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:
>>
>>> Murray - Thanks for setting up this list.
>>>
>>> Display Name Defenders -
>>>
>>> As we know, defending against domain name abuse is a tricky subject.
>>> It's clear that it's permissible under RFC5322 to allow arbitrary text
>>> to be included in the "display-name" part of the "From" field.  So it's
>>> possible (and even reasonable) to send a message like:
>>>
>>> -----
>>> | To: "Jane Smith" <jane.smith at emailaddress.com>
>>> | From: "Customer Service @Company.com" <customer.service at company.com>
>>> -----
>>>
>>> Unfortunately, this also means there's nothing to stop someone from
>>> sending a message like:
>>>
>>> -----
>>> | To: "John Doe" <john.doe at emailaddress.com>
>>> | From: "legitimate at brand.com" <attacker at spoofer.com>
>>> -----
>>>
>>> Many email clients will happily display "legitimate at brand.com" as the
>>> sender, while hiding the "address-spec" part of the "From" field.  The
>>> result is that John Doe can be forgiven for thinking that the mail is
>>> legitimate.
>>>
>>> Spoofed messages like this will look even more legitimate to the
>>> receiver if the attacker sets up an SPF record, signs the mail using
>>> DKIM, and publishes a DMARC record (assuming alignment with the
>>> "spoofer.com" domain).
>>>
>>> I would like to explore if it would be reasonable to consider a means
>>>by
>>> which the display-name part of the From field appears to include what
>>> looks like an email address.  If so, there will be value comparing it
>>> (even if only the registered domain name) to the address in the
>>> address-spec part.  If they are not equal, the mail could be treated as
>>> (highly) suspect, if not rejected outright.
>>>
>>> I'm aware that there are a number of ways by which a determined
>>>attacker
>>> could try to fool such a system (eg. using left-to-right overrides).
>>> But setting that aside, and before we get too far ahead of ourselves
>>> dreaming up solutions, I'd like to see if we could build a data-driven
>>> analysis of usage patterns in the wild.
>>>
>>> For example, those who have access to a large corpus of mail could
>>> potentially mine their data to see how often a rudimentary RegEx turns
>>> up an email address in the display-name that doesn't match the one in
>>> the address-spec.  Then, by evaluating those, we may be able to
>>> determine how often such a case represents legitimate mail.  My
>>> hypothesis is that the number of legitimate cases like this will be
>>>very
>>> small, likely along the lines of:
>>>
>>> -----
>>> | To: "Bill Jones" <bill.jones at emailaddress.com>
>>> | From: "surveys at company.com" <company.surveys at marketing.com>
>>> -----
>>>
>>> Once we have the data, though, we can build an understanding of how the
>>> practice is used.  With that we can begin to consider possible
>>>solutions.
>>>
>>> Anyway, soes this approach sound like a reasonable path forward to
>>>begin
>>> to wade into the waters?
>>>
>>> - Trent
>>>
>>> -- 
>>> J. Trent Adams
>>>
>>> Profile: http://www.mediaslate.org/jtrentadams/
>>> LinkedIN: http://www.linkedin.com/in/jtrentadams
>>> Twitter: http://twitter.com/jtrentadams
>>>
>>>
>>> _______________________________________________
>>> display-names mailing list
>>> display-names at trusteddomain.org
>>> http://www.trusteddomain.org/mailman/listinfo/display-names
>
>-- 
>J. Trent Adams
>
>Profile: http://www.mediaslate.org/jtrentadams/
>LinkedIN: http://www.linkedin.com/in/jtrentadams
>Twitter: http://twitter.com/jtrentadams
>