spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Charles Sprickman <sp...@bway.net>
Subject Re: New whitelisting trick using from and spf
Date Mon, 06 Mar 2017 22:52:41 GMT

> On Mar 6, 2017, at 12:58 PM, David B Funk <dbfunk@engineering.uiowa.edu> wrote:
> 
> On Mon, 6 Mar 2017, Alan Hodgson wrote:
> 
>>> It seems it should be easy to setup “If mail claims to be From: PayPal.com
>>> and is not from PayPal, score +100” but it is not.
>> 
>> This is what DMARC is for.
>> 
>> Run opendmarc as a milter and reject failures. Or score later on DMARC
>> failure, even if just selectively for highly phished domains.
>> 
>> PayPal publishes p=reject, on paypal.com at least, if not their other domains.
> 
> But that won't help you when the scammers set the user visible from as "account@PayPaI.com"
or some other variant (with the actual address part as <account@example.com> or something
else.
> 
> user-agents (such as OutHouse) by default only show the "comment" part of the address
and hide the actual <> address part, making it easy for scammers to fool the non-tech
savvy users.

And OS-X Mail.app in some configurations, and iOS Mail.

They all fail not just for making phishing so much easier, but get on the phone with a novice
user using any of these email clients and ask them to give you the actual email address of
a sender, especially when they have for example, two people name “John Smith” emailing
them…  It’s a terrible, terrible idea to hide things to make email easier.

Charles


> 
> -- 
> Dave Funk                                  University of Iowa
> <dbfunk (at) engineering.uiowa.edu>        College of Engineering
> 319/335-5751   FAX: 319/384-0549           1256 Seamans Center
> Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{

Mime
View raw message