[Mailman-Users] Add PayPal to DNs publishing DMARC p=reject

Stephen J. Turnbull stephen at xemacs.org
Tue May 6 07:15:27 CEST 2014

Peter Shute writes:
 > > On 5 May 2014, at 4:59 pm, "Stephen J. Turnbull" <stephen at xemacs.org> wrote:

 > > them.  But when you (FVO "you" susceptible to phishing in the first

 > Sorry, what does FVO stand for?

Ah, excuse my abbreviations.  FVO = "for values of"; the intended
implication is that the "you" reading my post isn't the kind of "you"
who gets taken in by phishing emails.

 > >    All of our mail to you have come back to us due to DMARC rejects,
 > >    so we need to use this unusual address.
 > > 
 > >    Please confirm your blah-blah-blah by clicking <here> and logging
 > >    in to our secure site.
 > > 
 > > 2% of AOL customers will respond by clicking, at last report. :-(
 > They get a warning? I thought it just bounced, and the intended
 > recipient never knew.

No, the point is that a phishing mail with

    From: Chase Bank Customer Service <service at chase.com.invalid>

will sail right past DMARC, as currently set up.  In the message, the
complaint about the "DMARC rejects" was written by the phisherman, and
the strange address is explained by that preamble.  Thus reassured,
the victim then clicks.  Don't ask me to explain why they do that, I
don't really understand (I'm almost tempted to quote Niven and
Pournelle, "think of it as evolution in action"), but it's an
empirical fact that real people lose real money to these scams ("2% of
AOLers" click, according to AOL).

Now, it's *possible* that ".invalid" will trigger the latent common
sense in the 2%.  But I think that pretty unlikely to be completely
effective, and I suspect it won't be effective at all in the presence
of a disclaimer about the "unusual" address.  If ".invalid" can't
get by the victim's common sense, ".REMOVE-THIS" etc probably will.

The thing is that a bit of common sense will save you from any of
these scams.  But that's not enough to create good policies, because
it's very hard is to think of all the ways to abuse a very naive
victim, or a very young one, or an elderly one who's lost a step
mentally -- it takes a devious mind just to think of one!


More information about the Mailman-Users mailing list