Ask HN: How the hell haven't we solved phishing emails yet?

7•mdni007•8mo ago

How is it possible that in 2025 with all the amazing advancements in AI, I am still getting phishing emails? Emails attempting to look as if its coming from Coinbase, or some stock broker, or bank, or even UPS/USPS/FEDEX? These emails dont look even remotely legit so how do they manage to pass through? Even the email addresses are from some completely different domain. I am using Outlook and Gmail. How/why have they not figured this out already? Even ignoring AI, I don't know much about email but why isn't there something like a CA for email?

Comments

toomuchtodo•8mo ago

We have DMARC, DKIM, and SPF [1], and while this provides some signal with regards to mail origination, it falls flat when emails are being sent from Gmail, Yahoo, and other large service providers. This is why email security gateways exist, to wrap stronger security controls around inbound email. This might be email content classification and heuristics, this might be replacing links with control middleware to scan and detonate malware or other exfiltration code and prevent clickers from clicking, etc. None of these mitigations will be perfect though, they will each have some degree of failure or miss.

> Even ignoring AI, I don't know much about email but why isn't there something like a CA for email?

Is there demand for this? Would users pay for it? Or would they tolerate the existing experience with whatever does or does not end of in their Spam folder? The options here are to pick an email provider based on what they can offer from an email protection perspective, or wiring up your own defenses using something that can read your inbox and action emails within it (if your email provider's solution is lacking).

[1] https://www.cloudflare.com/learning/email-security/dmarc-dki...

gogurt2000•8mo ago

Huh. In 20 years of using gmail I can't remember ever seeing a phishing email in my inbox (they're all filtered out as spam so I never see them). I'm curious what's led to our different experiences.

mdni007•8mo ago

I've used the same email since I was a kid and gave my email to any website that would ask for it without a thought. So now I'm facing the consequences. My email is just my name (which is very common) so I'm fortunate to have it and never wanted to make a new one.

cookiengineer•8mo ago

Microsoft has paid customers, which send emails via Microsoft Azure hosts. So they're specifically allowlisted and are bypassing Microsoft O365 filters.

Same for Google Business customers.

Phishers pay to send the emails. You don't pay to receive no email. So that's the conflict of interest of these businesses.

The "CA" for email is basically SPF/DKIM/DMARC as extensions but they're kind of useless because all email providers are lying about quarantine mechanisms anyways. Nothing happens if you report an abuse of spam policies.

But I'm kind of biased because I maintain my own antispam repository [1].

Most of the professional phishing campaigns use e.g. cloned websites under a different top level domain (like company-global.com or company-eu.com), with even legit looking profiles on LinkedIn which are even LLM controlled in their responses. They use pictures and sometimes even identities of real people, and the humans usually don't know about anything that's happening online with their identity in their name.

[1] https://github.com/cookiengineer/antispam

mdni007•8mo ago

> Phishers pay to send the emails. You don't pay to receive no email. So that's the conflict of interest of these businesses.

> The "CA" for email is basically SPF/DKIM/DMARC as extensions but they're kind of useless because all email providers are lying about quarantine mechanisms anyways. Nothing happens if you report an abuse of spam policies.

So it sounds like these email providers simply won't do anything since they're not being paid or forced to do so. I don't understand why there isnt any push from financial institutions? Since access to their customer's accounts is usually the end goal for these phishing emails.

Or maybe the FTC/FCC should step in. Or some legislation is needed to enforce this.

chrisjj•8mo ago

Simple. There's no money to be made from fixing it.

LLMs are powerful, but enterprises are deterministic by nature

Ask HN: Anyone Using a Mac Studio for Local AI/LLM?

Ask HN: Ideas for small ways to make the world a better place

Ask HN: Non AI-obsessed tech forums

Ask HN: 10 months since the Llama-4 release: what happened to Meta AI?

Ask HN: Non-profit, volunteers run org needs CRM. Is Odoo Community a good sol.?

Ask HN: Who wants to be hired? (February 2026)

Ask HN: Who is hiring? (February 2026)

AI Regex Scientist: A self-improving regex solver

Tell HN: Another round of Zendesk email spam

Ask HN: Is Connecting via SSH Risky?

Ask HN: Has your whole engineering team gone big into AI coding? How's it going?

Ask HN: Why LLM providers sell access instead of consulting services?

Ask HN: What is the most complicated Algorithm you came up with yourself?

Ask HN: How does ChatGPT decide which websites to recommend?

Ask HN: Is it just me or are most businesses insane?

Ask HN: Mem0 stores memories, but doesn't learn user patterns

Ask HN: Any International Job Boards for International Workers?

Ask HN: Is there anyone here who still uses slide rules?

Kernighan on Programming

Ask HN: Anyone Seeing YT ads related to chats on ChatGPT?

Ask HN: Does global decoupling from the USA signal comeback of the desktop app?

We built a serverless GPU inference platform with predictable latency

Ask HN: Does a good "read it later" app exist?

Ask HN: How Did You Validate?

Ask HN: Have you been fired because of AI?

Ask HN: Cheap laptop for Linux without GUI (for writing)

Ask HN: Anyone have a "sovereign" solution for phone calls?

Test management tools for automation heavy teams

Ask HN: OpenClaw users, what is your token spend?