On Tuesday, December 27, 2016 7:14 AM, Dave Crocker wrote: > On 12/26/2016 6:03 PM, Christian Huitema wrote: >> But your mail and many comments on this lists point to the huge responsibility of the MUA with respect to phishing. Phishing is about duping the user by displaying misleading information. The effective defenses have to rely on proper user interface design, > > Unfortunately, this is mostly /not/ true. > > The actual experience, both in field work and usability research, is > that UI design does not affect user processing of phishing very much. > Neither design nor user training have much effect. > > Hence most effective phishing protection is in the filtering engine(s) > below the UI. We actually agree. In my mind, I was not thinking of UI as the arrangement of displayed pixels, but rather the intelligent selection of which information to present and what interactions to design. Without this local intelligence, MUA are not likely to handle the example that Viktor gave, "Joe Banker <joe@bank.notbank.example>". Among other examples. My point is that this intelligent filtering benefits from information about the user context, such as what bank the user normally deals with. That kind of information might be available in the user context, but is normally not available to the mail delivery system. -- Christian Huitema