There's one problem with DKIM as a phishing defense, which I have
mentioned in passing a few times here, but no one else seems to have
taken up discussion of.
An e-mail From: usually has two parts. One is the email address itself.
The other part is the full name of the sender. Usually the address is
enclosed in angle brackets while the remainer of the header is the full
name, although there is an alternative form where the full name is in
parentheses and the address is bare.
Full names are not used in routing and not registered anywhere. Neither
DKIM nor anything else can validate them. Nonetheless, in summaries of
incoming mail, MUAs tend to display *just* the full name.
Hence, I could send a phish as:
"From: PayPal <michael(_at_)talamasca(_dot_)ocis(_dot_)net>"
and (so long as the content was good enough) fool an unsuspicious user
while passing ADSP with flying colors.
An already-suspicious user could see through it -- but such a user would
probably look at the other headers and notice anomalies without needing
the help of DKIM. All ADSP would do is help declutter his mailbox of
the forgeries that don't use this trick.
By the way, this is why I consider the double-From: problem to be a
molehill. If widely used, the double-From: would quickly appear in
SpamAssassin and the like -- one doesn't even need to do any
cryptographic work to detect and block it. In contrast, detecting false
full names would require some sort of registry that does not exist at
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
NOTE WELL: This list operates according to