Post by Steve Atkins Post by Dotzero Post by Steve Atkins Post by Dotzero
I think it would be interesting to see a project that examines
phishing/malware emails to determine whether email authentication
(DMARC/SPF/DKIM) or other practices would have prevented the malicious
email from reaching endusers.
I did that briefly, looking at both phishing attempts for, and legitimate mail from
one particular company, as seen at my ix.
The results were not what people wanted to hear, so I didn't bother digging
deeper or formalizing the results.
ADSP was an experiment gone wrong.
But it's effectiveness at stopping phishing is pretty much the same as DMARC,
so the experience is somewhat relevant.
Assertion without facts in evidence, especially when considering false
positive rates. The other factor being that ADSP never garnered much
adoption on the mailbox provider side.
Post by Steve Atkins Post by Dotzero Post by Steve Atkins
Unless you're in academia, where you justify your existence by publishing
papers, there doesn't seem much benefit to doing research that won't affect
It isn't always easy to determine what will affect behavior.
It's not, no. But you need to consider that when deciding whether to expend
energy and time on research, with no particular goal and no funding.
Post by Dotzero Post by Steve Atkins
An end goal beyond the (perfectly reasonable) "it'd be interesting" seems
like something to consider.
The obvious goal would be to determine whether domains such as those
belonging to banks would afford endusers some modicum of protection by
adopting the combination of DMARC/DKIM/SPF.I've seen very positive
results for the domains I have implemented DMARC p=reject for.
Unfortunately there aren't mant case studies out there for people to
Could you share those positive results? Actually, more importantly than
the actual results is what you decided to measure, and why.
I have shared those results at MAAWG, OTA, ISOI and other closed
forums. I'm not in a position to make them public without sign off
from my management - not in the cards because it involves disclosing
some details which are considered sensitive.
Knowing you personally I'll reach out to you out-of-band.
As far as the metrics measured, we look at number of direct domain
attacks (abusive mail claiming to be from one of our domains),
(estimated) volume per attack, volume per attack dropped at domains
providing rua and/or ruf reports, volume of submissions/use complaints
to our customer service or security teams, (estimated) volume to
mailbox providers not validating DMARC.
We also look at/model attacks abusing our domains/brands that are not
direct domain abuse. This would include attacks where some other From
email address is used but the display name abuses our domain/brand,
attacks where the abusive content is only in the body of the message,
Post by Steve Atkins Post by Dotzero
Having said this, DMARC only addresses specific kinds of abuse.
Defining what those specific kinds are would be part of deciding
what to measure, I guess.
This is the asrg mailing list. To change your subscription settings, see