BLOG

What about the email client?

There are a lot of folks in the email industry that take issue with my stance that DMARC is not a viable solution to phishing. DMARC, at it’s absolute best, addresses one tiny, TINY piece of phishing.

Look at this message I received today. My mail client presents this as from Quickbooks and hides the actual from email address from me. Most mail clients do that by default. It is possible to change this in some clients, like desktop mail.app. But a lot of clients simply take the choice away from the user.

Screenshot of a phishing email claiming to be from Quickbooks taken from the iPhone email application.

Mail clients are the biggest barrier to stopping phishing. As long as they hide the actual email address, users will be unable to tell when a message is actually phishing.

2 comments

  1. John Levine says

    Showing the address helps, but not very much. Partly that’s because it’s easy to fake out with domain names like bigbank.com.a.b.c.d.e.evil.wtf, but more it’s that most people aren’t very good at recognizing fakes.
    I expect the end game will be something like making the only way to get to your online bank account is via the app the bank provides.

    1. laura says

      I do what I can to fight cousin domains, but marketing and security seem antithetical all too often. Oddly, the argument that works the best is “you’re training your customers to be victims.”

      And, yeah, it’s often hard to see the cousin domain even when you’re looking and know what you’re looking for. The obvious thing is inbox trust indicators. But there was that experiment reported to a private group a few years ago that showed inbox indicators don’t work. OTOH, I saw an abstract where a researcher demonstrated inbox trust indicators do work, but I haven’t seen the whole talk / research report.

      It’s not an easy question and it’s not like I have all the answers. And any effective solution is going to involve multiple layers of defenses.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.