[display-names] Initial Thoughts on Display Name Defenses

Wed Mar 27 15:21:56 PDT 2013

Have you thought about how you would manage the logos at scale?  It seems like an attacker could substitute a legitimate brand's logo for their own, and still impersonate them, unless the logos themselves were under some sort of review or control, or there was a trust system being leveraged to determine what brands qualified.

From: Olga Gavrylyako <olgag at google.com<mailto:olgag at google.com>>
Date: Wednesday, March 27, 2013 2:59 PM
To: "J. Trent Adams" <jtrentadams at gmail.com<mailto:jtrentadams at gmail.com>>
Cc: "display-names at trusteddomain.org<mailto:display-names at trusteddomain.org>" <display-names at trusteddomain.org<mailto:display-names at trusteddomain.org>>, "dcrocker at bbiw.net<mailto:dcrocker at bbiw.net>" <dcrocker at bbiw.net<mailto:dcrocker at bbiw.net>>
Subject: Re: [display-names] Initial Thoughts on Display Name Defenses

The cases we mostly see in Gmail are

From: "Legitimate Brand" <attacker at spoofer.com<mailto:attacker at spoofer.com>>

or even worse:

From: "Legitimate Brand" <support at looks-like-legitimate-brand.com<mailto:attacker at spoofer.com>>

It is very hard to distinguish automatically and we have tons of rules to filter out these cases.
If we could have analog of DKIM, but not per domain, but per-brand instead.... And next if the message is signed with brand signature we could surface this in UI adding some Brand logo at the top of the message.

Olga

On Wed, Mar 27, 2013 at 12:22 PM, J. Trent Adams <jtrentadams at gmail.com<mailto:jtrentadams at gmail.com>> wrote:

Dave -

On 3/27/13 1:17 PM, Dave Crocker wrote:
>
> On 3/27/2013 11:18 AM, Michael Adkins wrote:
>> I would rather work on a broader solution than just addresses in the
>> display name.
>>
>> Monica suggested something a while back that I think has potential.
>> Basically, don't show the display name unless the From: address is in
>> the
>> user's address book.  Prior to DMARC, this wouldn't have been as
>> valuable,
>> but now that we can prevent phishers from using the exact addresses that
>> we legitimately use this becomes a pretty good option to explore.
>
> There are several lines of concern and protection that might be
> considered.
>
> The address book heuristic sounds promising, but will cause problems
> for messages from known-but-compromised accounts, for example.  This
> just makes "compromised friends" an even more attractive attack vector.
>
> Another hack that occurs to me is to define a dmarc-ish enhancement
> that says "our address will never show up in the display name".  When
> an email address is in the display name, do a dmarc-ish lookup on it
> and check for this policy...

Oooo... now that's clever!  If it'd be possible to add a flag along
these lines into the DMARC record we're not asking anyone to an
additional lookup, plus it's a sender-side directive vs a global edict.

Nifty,
Trent

>
> d/

--
J. Trent Adams

Profile: http://www.mediaslate.org/jtrentadams/<https://urldefense.proofpoint.com/v1/url?u=http://www.mediaslate.org/jtrentadams/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=0A4I8r3jiOiOe1QQlLAzMDt4RNtqCBaOc2X2hMcCYzA%3D%0A&s=91488b5a6ee2623e0b65fee7478ddda23a25f3d44caa4792ced512276a58ea23>
LinkedIN: http://www.linkedin.com/in/jtrentadams<https://urldefense.proofpoint.com/v1/url?u=http://www.linkedin.com/in/jtrentadams&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=0A4I8r3jiOiOe1QQlLAzMDt4RNtqCBaOc2X2hMcCYzA%3D%0A&s=404d6fbec92292718468915fa8299e7addd7057fc2ab96b591bcc56f29ed505f>
Twitter: http://twitter.com/jtrentadams<https://urldefense.proofpoint.com/v1/url?u=http://twitter.com/jtrentadams&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=0A4I8r3jiOiOe1QQlLAzMDt4RNtqCBaOc2X2hMcCYzA%3D%0A&s=02c843b66d01b98855ae9f78879899a831d5a564fca8e5921f25dd529fed8b02>

_______________________________________________
display-names mailing list
display-names at trusteddomain.org<mailto:display-names at trusteddomain.org>
http://www.trusteddomain.org/mailman/listinfo/display-names<https://urldefense.proofpoint.com/v1/url?u=http://www.trusteddomain.org/mailman/listinfo/display-names&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=fAk2HhpwqneloqGEFXhAtQ%3D%3D%0A&m=0A4I8r3jiOiOe1QQlLAzMDt4RNtqCBaOc2X2hMcCYzA%3D%0A&s=bad1e472f74898639f1bf9a71fa5298160417e180836c206aab6909627879931>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/display-names/attachments/20130327/df0a8ffe/attachment-0001.htm>