wayne at schlitt.net
Tue Nov 1 11:07:54 PST 2005
In <0AEB18845270404F88B2503180D4586908FD4753 at DEN-EXM-01.corp.ebay.com> "Edberg, Jeremy" <jedberg at ebay.com> writes:
> Another related attack that I did not see mentioned in the threat
> analysis is what we call the "pretty from" attack. Most popular email
> clients display the arbitrary text in the From header as the display
> name, if there is one. For example, if the from header were 'From
> "aw-confirm at ebay.com" <badguy at badguy.com>', the client would show
> "aw-confirm at ebay.com" as the from address.
A variation on this is:
From: "aw-confirm at ebay.com" <badguy at badguy.com>', " On Behalf of " <aw-confirm at ebay.com>
DKIM (like SenderID) only validates the first email address on the
From: line. The rest of the From: line can be used to help confuse
the situation. Of course, the bad actor won't pick such an obvious
name as "badguy at badguy.com".
Stopping phishing is a hard problem. I know of no email
authentication system that I think can really do a very good job of
even slowing it down. This is really something that MUAs will have to
deal with, and any of the email authentication systems can be used to
help out MUAs in this area.
More information about the ietf-dkim