[display-names] Initial Thoughts on Display Name Defenses

J. Trent Adams jtrentadams at gmail.com
Wed Mar 27 12:19:00 PDT 2013 

Mike -

Gotcha, so we're narrowing the focus to those systems that automatically
manage the "contact list" on behalf of the end user. So we're probably
talking about the usual suspects: Google, AOL, Yahoo,
Hotmail/Live/Outlook.com.

... at least their webmail interfaces. What about mobile interfaces (eg.
iPhone mail) and users that plug into IMAP using a client like
Thunderbird (are they a dying breed)? And we might as well set aside
corporate systems for now anyway.

Then we return to the user experience questions. I wonder if one of us
has access to a usability lab that could be used to test the hypothesis
that users will make the right decisions.

Peeling the onion,
Trent


On 3/27/13 1:08 PM, Michael Adkins wrote:
> Users don't have to actively maintain them, they are updated
> automatically.  Last time I checked, when I worked at AOL, most legitimate
> email matched the user's address book.  At Facebook, most legitimate
> inbound email is either from an address that belongs to a connected
> Facebook account, from an address in one of the recipient's imported
> address books, or from an address that the recipient has recently replied
> to (which would add them to the address book).  It's easy enough to cover
> the high value remainder with domain reputation based whitelisting, such
> as based on the percentage of email from a given bulk or transactional
> domain that does match the recipient's address book.
>
> On 3/27/13 11:58 AM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:
>
>> Mike -
>>
>> Interesting idea.
>>
>> I wonder how we could tackle usability questions around the idea. For
>> example, I wonder how many people actively maintain address books to the
>> point where this would be useful. I know that I don't (but probably
>> should).
>>
>> Another question to explore might be how to handle first-time contacts.
>> Many of us use email addresses that are pretty close to our real names,
>> but that's no always the case. Until his address is added, email from
>> legendary comic book creator Jerry Seigel might show up as
>> "mxyzptlk at earthlink.net"... which I'm not sure is a great user experience.
>>
> >From a more philosophical level, are we more likely to achieve success
>> by relying on mailbox receivers or users making the right decision about
>> what is legitimate vs. fraudulent mail? I really wish that users were
>> more reliable.
>>
>> - Trent
>>
>>
>> On 3/27/13 12:18 PM, Michael Adkins wrote:
>>> I would rather work on a broader solution than just addresses in the
>>> display name.
>>>
>>> Monica suggested something a while back that I think has potential.
>>> Basically, don't show the display name unless the From: address is in
>>> the
>>> user's address book.  Prior to DMARC, this wouldn't have been as
>>> valuable,
>>> but now that we can prevent phishers from using the exact addresses that
>>> we legitimately use this becomes a pretty good option to explore.
>>>
>>> On 3/27/13 10:13 AM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:
>>>
>>>> Murray - Thanks for setting up this list.
>>>>
>>>> Display Name Defenders -
>>>>
>>>> As we know, defending against domain name abuse is a tricky subject.
>>>> It's clear that it's permissible under RFC5322 to allow arbitrary text
>>>> to be included in the "display-name" part of the "From" field.  So it's
>>>> possible (and even reasonable) to send a message like:
>>>>
>>>> -----
>>>> | To: "Jane Smith" <jane.smith at emailaddress.com>
>>>> | From: "Customer Service @Company.com" <customer.service at company.com>
>>>> -----
>>>>
>>>> Unfortunately, this also means there's nothing to stop someone from
>>>> sending a message like:
>>>>
>>>> -----
>>>> | To: "John Doe" <john.doe at emailaddress.com>
>>>> | From: "legitimate at brand.com" <attacker at spoofer.com>
>>>> -----
>>>>
>>>> Many email clients will happily display "legitimate at brand.com" as the
>>>> sender, while hiding the "address-spec" part of the "From" field.  The
>>>> result is that John Doe can be forgiven for thinking that the mail is
>>>> legitimate.
>>>>
>>>> Spoofed messages like this will look even more legitimate to the
>>>> receiver if the attacker sets up an SPF record, signs the mail using
>>>> DKIM, and publishes a DMARC record (assuming alignment with the
>>>> "spoofer.com" domain).
>>>>
>>>> I would like to explore if it would be reasonable to consider a means
>>>> by
>>>> which the display-name part of the From field appears to include what
>>>> looks like an email address.  If so, there will be value comparing it
>>>> (even if only the registered domain name) to the address in the
>>>> address-spec part.  If they are not equal, the mail could be treated as
>>>> (highly) suspect, if not rejected outright.
>>>>
>>>> I'm aware that there are a number of ways by which a determined
>>>> attacker
>>>> could try to fool such a system (eg. using left-to-right overrides).
>>>> But setting that aside, and before we get too far ahead of ourselves
>>>> dreaming up solutions, I'd like to see if we could build a data-driven
>>>> analysis of usage patterns in the wild.
>>>>
>>>> For example, those who have access to a large corpus of mail could
>>>> potentially mine their data to see how often a rudimentary RegEx turns
>>>> up an email address in the display-name that doesn't match the one in
>>>> the address-spec.  Then, by evaluating those, we may be able to
>>>> determine how often such a case represents legitimate mail.  My
>>>> hypothesis is that the number of legitimate cases like this will be
>>>> very
>>>> small, likely along the lines of:
>>>>
>>>> -----
>>>> | To: "Bill Jones" <bill.jones at emailaddress.com>
>>>> | From: "surveys at company.com" <company.surveys at marketing.com>
>>>> -----
>>>>
>>>> Once we have the data, though, we can build an understanding of how the
>>>> practice is used.  With that we can begin to consider possible
>>>> solutions.
>>>>
>>>> Anyway, soes this approach sound like a reasonable path forward to
>>>> begin
>>>> to wade into the waters?
>>>>
>>>> - Trent
>>>>
>>>> -- 
>>>> J. Trent Adams
>>>>
>>>> Profile: http://www.mediaslate.org/jtrentadams/
>>>> LinkedIN: http://www.linkedin.com/in/jtrentadams
>>>> Twitter: http://twitter.com/jtrentadams
>>>>
>>>>
>>>> _______________________________________________
>>>> display-names mailing list
>>>> display-names at trusteddomain.org
>>>> http://www.trusteddomain.org/mailman/listinfo/display-names
>> -- 
>> J. Trent Adams
>>
>> Profile: http://www.mediaslate.org/jtrentadams/
>> LinkedIN: http://www.linkedin.com/in/jtrentadams
>> Twitter: http://twitter.com/jtrentadams
>>

-- 
J. Trent Adams

Profile: http://www.mediaslate.org/jtrentadams/
LinkedIN: http://www.linkedin.com/in/jtrentadams
Twitter: http://twitter.com/jtrentadams

More information about the display-names mailing list