On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
As soon as banks start signing their messages and there are credible
whitelists for their domain names, doesn't this end the ability for
phishers to use those domain names in the rfc2822.From field?
I fail to see how "credible whilelists" are going to work. You cannot
expect all the millions of honest internet users to get into such
whitelists. Rather, it seems that what is suggested is that there will
exists whitelists of "respectable banks".
But how do you tell, automatically, that a message is from a "bank", and
therefore ought to be ignored if it is not whitelisted? Will messages from
banks routinely carry text or headers which say "this message is from a
bank, and is to be ignored if it is not whitelisted". Naturally, phishers
will not include such texts/headers (or they will include them in a subtly
But you still have the problem of educating users to expect such
texts/headers, and educating them to do that is just as hard as educating
them to recognise present-day phishes (I expect most people do, but enough
people don't for the phishers to make a decent living, it seems).
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
NOTE WELL: This list operates according to