[display-names] Initial Thoughts on Display Name Defenses

Michael Adkins madkins at fb.com
Wed Mar 27 13:04:38 PDT 2013 

Well, we need to start with those folks, since they are the ones that have
access to data to do feasibly and effectiveness research.  But all modern
mail clients have local address books that can be managed automatically
and the ability to reference shared address books, so I'm not sure that it
necessarily precludes them altogether.

On the mobile side, I think we're actually in better shape given all the
available mechanisms to sync contacts to your phone (Facebook and Google
both sync to android, I know we sync to iOS but I'm not sure about
Google).  I think contact management and syncing services make this a more
feasible option long term.

On 3/27/13 12:19 PM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:

>
>Mike -
>
>Gotcha, so we're narrowing the focus to those systems that automatically
>manage the "contact list" on behalf of the end user. So we're probably
>talking about the usual suspects: Google, AOL, Yahoo,
>Hotmail/Live/Outlook.com.
>
>... at least their webmail interfaces. What about mobile interfaces (eg.
>iPhone mail) and users that plug into IMAP using a client like
>Thunderbird (are they a dying breed)? And we might as well set aside
>corporate systems for now anyway.
>
>Then we return to the user experience questions. I wonder if one of us
>has access to a usability lab that could be used to test the hypothesis
>that users will make the right decisions.
>
>Peeling the onion,
>Trent
>
>
>On 3/27/13 1:08 PM, Michael Adkins wrote:
>> Users don't have to actively maintain them, they are updated
>> automatically.  Last time I checked, when I worked at AOL, most
>>legitimate
>> email matched the user's address book.  At Facebook, most legitimate
>> inbound email is either from an address that belongs to a connected
>> Facebook account, from an address in one of the recipient's imported
>> address books, or from an address that the recipient has recently
>>replied
>> to (which would add them to the address book).  It's easy enough to
>>cover
>> the high value remainder with domain reputation based whitelisting, such
>> as based on the percentage of email from a given bulk or transactional
>> domain that does match the recipient's address book.
>>
>> On 3/27/13 11:58 AM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:
>>
>>> Mike -
>>>
>>> Interesting idea.
>>>
>>> I wonder how we could tackle usability questions around the idea. For
>>> example, I wonder how many people actively maintain address books to
>>>the
>>> point where this would be useful. I know that I don't (but probably
>>> should).
>>>
>>> Another question to explore might be how to handle first-time contacts.
>>> Many of us use email addresses that are pretty close to our real names,
>>> but that's no always the case. Until his address is added, email from
>>> legendary comic book creator Jerry Seigel might show up as
>>> "mxyzptlk at earthlink.net"... which I'm not sure is a great user
>>>experience.
>>>
>> >From a more philosophical level, are we more likely to achieve success
>>> by relying on mailbox receivers or users making the right decision
>>>about
>>> what is legitimate vs. fraudulent mail? I really wish that users were
>>> more reliable.
>>>
>>> - Trent
>>>
>>>
>>> On 3/27/13 12:18 PM, Michael Adkins wrote:
>>>> I would rather work on a broader solution than just addresses in the
>>>> display name.
>>>>
>>>> Monica suggested something a while back that I think has potential.
>>>> Basically, don't show the display name unless the From: address is in
>>>> the
>>>> user's address book.  Prior to DMARC, this wouldn't have been as
>>>> valuable,
>>>> but now that we can prevent phishers from using the exact addresses
>>>>that
>>>> we legitimately use this becomes a pretty good option to explore.
>>>>
>>>> On 3/27/13 10:13 AM, "J. Trent Adams" <jtrentadams at gmail.com> wrote:
>>>>
>>>>> Murray - Thanks for setting up this list.
>>>>>
>>>>> Display Name Defenders -
>>>>>
>>>>> As we know, defending against domain name abuse is a tricky subject.
>>>>> It's clear that it's permissible under RFC5322 to allow arbitrary
>>>>>text
>>>>> to be included in the "display-name" part of the "From" field.  So
>>>>>it's
>>>>> possible (and even reasonable) to send a message like:
>>>>>
>>>>> -----
>>>>> | To: "Jane Smith" <jane.smith at emailaddress.com>
>>>>> | From: "Customer Service @Company.com"
>>>>><customer.service at company.com>
>>>>> -----
>>>>>
>>>>> Unfortunately, this also means there's nothing to stop someone from
>>>>> sending a message like:
>>>>>
>>>>> -----
>>>>> | To: "John Doe" <john.doe at emailaddress.com>
>>>>> | From: "legitimate at brand.com" <attacker at spoofer.com>
>>>>> -----
>>>>>
>>>>> Many email clients will happily display "legitimate at brand.com" as the
>>>>> sender, while hiding the "address-spec" part of the "From" field.
>>>>>The
>>>>> result is that John Doe can be forgiven for thinking that the mail is
>>>>> legitimate.
>>>>>
>>>>> Spoofed messages like this will look even more legitimate to the
>>>>> receiver if the attacker sets up an SPF record, signs the mail using
>>>>> DKIM, and publishes a DMARC record (assuming alignment with the
>>>>> "spoofer.com" domain).
>>>>>
>>>>> I would like to explore if it would be reasonable to consider a means
>>>>> by
>>>>> which the display-name part of the From field appears to include what
>>>>> looks like an email address.  If so, there will be value comparing it
>>>>> (even if only the registered domain name) to the address in the
>>>>> address-spec part.  If they are not equal, the mail could be treated
>>>>>as
>>>>> (highly) suspect, if not rejected outright.
>>>>>
>>>>> I'm aware that there are a number of ways by which a determined
>>>>> attacker
>>>>> could try to fool such a system (eg. using left-to-right overrides).
>>>>> But setting that aside, and before we get too far ahead of ourselves
>>>>> dreaming up solutions, I'd like to see if we could build a
>>>>>data-driven
>>>>> analysis of usage patterns in the wild.
>>>>>
>>>>> For example, those who have access to a large corpus of mail could
>>>>> potentially mine their data to see how often a rudimentary RegEx
>>>>>turns
>>>>> up an email address in the display-name that doesn't match the one in
>>>>> the address-spec.  Then, by evaluating those, we may be able to
>>>>> determine how often such a case represents legitimate mail.  My
>>>>> hypothesis is that the number of legitimate cases like this will be
>>>>> very
>>>>> small, likely along the lines of:
>>>>>
>>>>> -----
>>>>> | To: "Bill Jones" <bill.jones at emailaddress.com>
>>>>> | From: "surveys at company.com" <company.surveys at marketing.com>
>>>>> -----
>>>>>
>>>>> Once we have the data, though, we can build an understanding of how
>>>>>the
>>>>> practice is used.  With that we can begin to consider possible
>>>>> solutions.
>>>>>
>>>>> Anyway, soes this approach sound like a reasonable path forward to
>>>>> begin
>>>>> to wade into the waters?
>>>>>
>>>>> - Trent
>>>>>
>>>>> -- 
>>>>> J. Trent Adams
>>>>>
>>>>> Profile: http://www.mediaslate.org/jtrentadams/
>>>>> LinkedIN: http://www.linkedin.com/in/jtrentadams
>>>>> Twitter: http://twitter.com/jtrentadams
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> display-names mailing list
>>>>> display-names at trusteddomain.org
>>>>> http://www.trusteddomain.org/mailman/listinfo/display-names
>>> -- 
>>> J. Trent Adams
>>>
>>> Profile: http://www.mediaslate.org/jtrentadams/
>>> LinkedIN: http://www.linkedin.com/in/jtrentadams
>>> Twitter: http://twitter.com/jtrentadams
>>>
>
>-- 
>J. Trent Adams
>
>Profile: http://www.mediaslate.org/jtrentadams/
>LinkedIN: http://www.linkedin.com/in/jtrentadams
>Twitter: http://twitter.com/jtrentadams
>

More information about the display-names mailing list