BLOG

DMARC doesn’t fix Phishing

June 16, 2017 by in Industry

Not a new thing, but a nice example just popped up in my inbox on my phone.

 

But FedEx solved their entire phishing problem when they published a strict p=reject DMARC record, right?

This didn’t come from fedex.com. It came from another domain that looks vaguely like fedex.com – what that domain is doesn’t matter, as the domain it’s sent from isn’t displayed to the user on my phone mail client. Nor is it displayed to the user by Mail.app on my desktop, unless you turn off Mail → Preferences … → Viewing → Use Smart Addresses.

That lookalike domain could pass SPF, it could be used as d= in DKIM signing, it could even be set up with DMARC p=reject. And the mail is pixel identical to real mail from fedex.com.

On my desktop client I can hover over the link and notice it looks suspicious – but it’s no more suspicious looking than a typical ESP link-tracking URL. And on mobile I don’t even get to do that.

SPF and DKIM and DMARC can temporarily inconvenience phishers to the extent that they have to change the domain they’re sending from, but it’ll have no effect on the vulnerability of most of your audience to being phished using your brand.

1 comment

  1. David says

    The phishing email surely had a better DMARC score than authentic Fedex shipping notifications. Their DKIM has been broken for over a year:

    Received: from mta.message.fedex.com (mta.message.fedex.com [136.147.178.149])
    by (envelope-from )
    (8.15.2/8.15.2) with ESMTPS id
    (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
    for ; Mon, 22 May 2017 15:08:45 -0400

    Authentication-Results: ;
    dkim=fail reason=”signature verification failed” (1024-bit key) header.d=fedex.com header.i=@fedex.com header.b=ZxmwEo52

    Thank you for the tip on Outlook settings. I loath Outlook but am force to use it at work.

    June 18, 2017, 11:10 am

Comment:

Your email address will not be published. Required fields are marked *

Permission trumps good metricsThe cycle goes on

  • RR FBL: it's officially dead

    The Roadrunner Postmaster page says the FBL is deactivated.No Comments

  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

Archives