On 9/4/10 10:04 AM, MH Michael Hammer (5304) wrote:
Using a subdomain presents other issues but ones which I personally
believe are likely more controllable.
Disagree. There is no ADSP policy currently defined able to provide the
protections being sought without forgoing use of mailing-lists for the
entire domain down.
The DKIM enforcement policies you refer to are as I understand self
imposed ones. We had the "tree walking" discussion during both DKIM
and ADSP development and the decision was to have each subdomain
publish it's own records.
The TPA-Label draft avoids this issue by having either an MX or ADSP
record override a domain-wide marking by ADSP of being the target of
phishing attacks. It is logical to assume such attacks will utilize
sub-domains, where it is not possible to publish ADSP at each domain.
Targeted domains marked with discardable might be retained as a wildcard
within a local cache or in filtering rules to avoid walking down to the
TLD.
Paypal would have to deal with those parties it has made private
arrangements with but that is the nature of changes that impact such
arrangements. This is a much more controllable (if potentially time
consuming) situation than dealing with the universe of endusers.
The other issue is the fact that an element of risk is created
because of the MLM issues related to breaking signatures. If it
weren't for the MLM issue and possibly recipient use of vanity domain
forwarding, it isn't clear how much meaningful signature breakage
would occur for outbound Paypal mail regardless of domain.
When a discardable assertion is used, message loss becomes nearly
impossible to assess.
One question that comes to mind is whether the issue is centered on
mailing lists or if there are broader issues. If it is centered on
mailing lists, how broad is the need for Paypal employees to send
mail through lists in furtherance of business needs (vs personal
participation using a corporate account because it is convenient).
Spending a little time analyzing this may provide some assistance in
determining how to address the business needs.
It would obviously be important to make clear to endusers that
transactional mails are never sent from the corp.paypal.com
subdomain.
When corp.paypal.com uses ADSP dkim=all, bad actors will then find their
phishing attempts accepted. These messages might include misleading
List-ID headers to seem to an MTA as having been handled by a
mailing-list. The recipient is unlikely to notice these additional
header fields and therefore remain vulnerable to phishing attempts that
they thought were from paypal.
There is certainly an educational component required regardless of
which approach is selected. Any time there is a change in behavior on
the part of an abused domain it opens up the potential for abuse
specific to the changes involved.
The TPA-Label scheme should be able to mitigate phishing without better
educating users, engaging in private arrangements, or to have
mailing-lists change their handling in ways that would make their
messages visually indistinguishable from user to user email, and
therefore a greater risk in distributing phishing attempts. While
phishing affects a small percentage of domains, it represents a
significant financial threat eroding the productivity email may have
otherwise offered.
-Doug
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops