[display-names] Initial Thoughts on Display Name Defenses

Olga Gavrylyako olgag at google.com
Wed Mar 27 14:59:43 PDT 2013 

The cases we mostly see in Gmail are

From: "Legitimate Brand" <attacker at spoofer.com>

or even worse:

From: "Legitimate Brand"
<support at looks-like-legitimate-brand.com<attacker at spoofer.com>
>

It is very hard to distinguish automatically and we have tons of rules to
filter out these cases.
If we could have analog of DKIM, but not per domain, but per-brand
instead.... And next if the message is signed with brand signature we could
surface this in UI adding some Brand logo at the top of the message.

Olga


On Wed, Mar 27, 2013 at 12:22 PM, J. Trent Adams <jtrentadams at gmail.com>wrote:

>
> Dave -
>
> On 3/27/13 1:17 PM, Dave Crocker wrote:
> >
> > On 3/27/2013 11:18 AM, Michael Adkins wrote:
> >> I would rather work on a broader solution than just addresses in the
> >> display name.
> >>
> >> Monica suggested something a while back that I think has potential.
> >> Basically, don't show the display name unless the From: address is in
> >> the
> >> user's address book.  Prior to DMARC, this wouldn't have been as
> >> valuable,
> >> but now that we can prevent phishers from using the exact addresses that
> >> we legitimately use this becomes a pretty good option to explore.
> >
> > There are several lines of concern and protection that might be
> > considered.
> >
> > The address book heuristic sounds promising, but will cause problems
> > for messages from known-but-compromised accounts, for example.  This
> > just makes "compromised friends" an even more attractive attack vector.
> >
> > Another hack that occurs to me is to define a dmarc-ish enhancement
> > that says "our address will never show up in the display name".  When
> > an email address is in the display name, do a dmarc-ish lookup on it
> > and check for this policy...
>
> Oooo... now that's clever!  If it'd be possible to add a flag along
> these lines into the DMARC record we're not asking anyone to an
> additional lookup, plus it's a sender-side directive vs a global edict.
>
> Nifty,
> Trent
>
> >
> > d/
>
> --
> J. Trent Adams
>
> Profile: http://www.mediaslate.org/jtrentadams/
> LinkedIN: http://www.linkedin.com/in/jtrentadams
> Twitter: http://twitter.com/jtrentadams
>
> _______________________________________________
> display-names mailing list
> display-names at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/display-names
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/display-names/attachments/20130327/9ed1409c/attachment.htm>

More information about the display-names mailing list