[Mailman-Developers] Thinking about list footers
Richard Damon
Richard at Damon-Family.org
Wed Jun 4 14:11:52 CEST 2014
On 6/4/14, 4:23 AM, Stephen J. Turnbull wrote:
> Murray S. Kucherawy writes:
>
> > We didn't intend for this to be used by MUAs, however, so to some degree
> > they're doing what we expected.
>
> I know, but I think it's time for the IETF to recognize that email
> fraud cannot be fought if the receiving end of "end-to-end" doesn't go
> all the way through the eyeballs, optic nerve, and into the wetware.
> (Maybe we need an April 1 RFC for neural transport of IP packets
> first?)
Yes, the only way to truly fight phish is to at least somewhat
standardize parts of how a MUA displays some stuff to the user.
There are some domains (like banks but NOT Yahoo and AOL) whose email is
important to verify identity of sender, who should have some form of
certificate that shows they have been verified by a trusted 3rd party
(like Https certs). The 3rd party verification keeps phishers from using
minor misspellings to fake these domains.
For other domains, perhaps an SPF like method on a per mailbox basis
(this could be used by Yahoo and the like). A person joins a mailing
list, the list send a request to a mailbox indicated to get added as an
authorized sender, (which then somehow verifies with the user). Receiver
gets an email from an unspecified source, mark it as suspicious or block
it totally. This would impact programs like mailman, as if the user
domain uses such a protection, another step needs to be added to the
subscription process to get the user authorized to send to the list.
This should pretty much get rid of most phish type messages, except
those sent by a user compromised machine, and that is something that the
email standards really can't help with (how can you expect an email
standard to distinguish between email from a program on my machine that
I told it to send, and email from possibly the same program that some
attacking program told it to send.)
>
> > I'm trying to figure out if that would be useful at all, but it
> > sounds like MUAs are the showstopper there.
>
> I sure don't want to give up! Some huge fraction of users must use
> GMail, Yahoo! mail, AOL, Hotmail, or Outlook for their MUAs. And that
> should cover the vast majority of "Most Likely to Fall for a Phishing
> Attack" users. Not that "vast majority" is anything to write home to
> mother about, but it's a very good start. With Comcast and a couple
> of others taking potshots at Yahoo!, I'd think the big ESPs are
> probably ready to take MUA improvement seriously. (Starting with
> protecting addressbooks, of course, but HCI stuff too I hope.)
>
> Where is Dave Hayes when we so desperately need his AI newsreader?
>
> Steve
>
--
Richard Damon
More information about the Mailman-Developers
mailing list