On 9/13/2014 1:09 PM, John C Klensin wrote: >> For that second one, remember that a lot of MUAs only show the >> > comment on the From: line, not the address. > I've often wondered how many successful phishing attacks we > could stop by issuing a "best practices" statement pointing out > the risks and difficulties associated with that > address-suppression practice. Like most user interface ideas, it's an entirely reasonable line of inquiry. However based on the experience of 'usable security' folks, there's also quite a bit of evidence that it would make no meaningful difference. The best model to invoke, with respect to the idea of recruiting end users to be active participants in abuse detection or prevention is mostly: Don't. That's a reality that tends to be rejected or ignored around the IETF, so it would be quite nice to see proposals offer an empirical basis for expecting efficacy. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net