[display-names] Initial Thoughts on Display Name Defenses
J. Trent Adams
jtrentadams at gmail.com
Wed Mar 27 12:22:59 PDT 2013
Dave -
On 3/27/13 1:17 PM, Dave Crocker wrote:
>
> On 3/27/2013 11:18 AM, Michael Adkins wrote:
>> I would rather work on a broader solution than just addresses in the
>> display name.
>>
>> Monica suggested something a while back that I think has potential.
>> Basically, don't show the display name unless the From: address is in
>> the
>> user's address book. Prior to DMARC, this wouldn't have been as
>> valuable,
>> but now that we can prevent phishers from using the exact addresses that
>> we legitimately use this becomes a pretty good option to explore.
>
> There are several lines of concern and protection that might be
> considered.
>
> The address book heuristic sounds promising, but will cause problems
> for messages from known-but-compromised accounts, for example. This
> just makes "compromised friends" an even more attractive attack vector.
>
> Another hack that occurs to me is to define a dmarc-ish enhancement
> that says "our address will never show up in the display name". When
> an email address is in the display name, do a dmarc-ish lookup on it
> and check for this policy...
Oooo... now that's clever! If it'd be possible to add a flag along
these lines into the DMARC record we're not asking anyone to an
additional lookup, plus it's a sender-side directive vs a global edict.
Nifty,
Trent
>
> d/
--
J. Trent Adams
Profile: http://www.mediaslate.org/jtrentadams/
LinkedIN: http://www.linkedin.com/in/jtrentadams
Twitter: http://twitter.com/jtrentadams
More information about the display-names
mailing list