On Nov 9, 2006, at 4:33 AM, Charles Lindsey wrote:
On Wed, 08 Nov 2006 16:43:58 -0000, Steve Atkins
On Nov 8, 2006, at 8:10 AM, Scott Kitterman wrote:
I agree that this does not help with look-alike domains, but for
that uses a sender's domain, I'm noy sure what you are getting at?
You point out the underlying issue nicely.
Well at least it is a start to force the phishers into using look-
No, it isn't. There is no way in which SSP makes this better.
Depending on how it's implemented by recipients there are ways
in which it makes it worse.
Phishing doesn't have to use the real domain. There are *countless*
ways of phishing that don't require it. Even now, a lot of phish
don't bother using the real domain, even though there's no real
disincentive to do so in most cases. If there were even a minor
disincentive then they could move away from that today with
Many of them use their own domains, for which they could trivially
publish SSP data.
Which is where we need sites on which "reputations" can be queried.
I envisage these will operate rather like the present DNSBL
blacklists. You choose such a site that you trust, and then ask its
advice on the action you should take according to the signer, From
address, etc. I would suppose that phishers own domains would
rapidly acquire a rather poor reputation (and the advice should be
to "delete all mail where the signature succeeds, and even where it
If you need an external trust model to tell you whether you should
trust SSP, then you can simply use just the external model and
avoid the whole self-publication thing altogether.
Then whence SSP?
(And, more to the point, if we all agree that SSP is pointless
without a third party trust model then the SSP specification is
neither complete, nor ready to review, until that trust model
is also defined).
NOTE WELL: This list operates according to