On Sep 9, 2010 at 14:04 -0600, McDowell, Brett wrote:
=>On Sep 9, 2010, at 3:10 PM, Derek Diget wrote:
=>> What does entries that can't get a different domain in the same TLD do?
=>> i.e. .edu are restricted to one domain per entity by the registrar.
=>> (Yes, they can get a domain in a different TLD, but is that what we
=>> really want them to do?)
=>
=>Ah, right! This is also a problem for .gov organizations. I suppose
=>clarity is the upside of having choice removed ;-)
=>
=>>
=>> =>The case we are discussing is a situation where the corporate users are
=>> =>using the same domain as the transactional domain and you need to do
=>> =>something to address the conflict between strict policies to protect
=>> =>against (transactional) phishing and corporate use which results in mail
=>> =>going through lists, etc. with the commensurate risk of authentication
=>> =>breakage.
=>>
=>> We see ourselves in the same place, though it will take months/years to
=>> get there. We have user and transactional (billing notices, class
=>> registration, etc) e-mail on the same domain.
=>>
=>
=>I think the phrase missing from Mike's comments above is "using the
=>same [highly phished] domain as the transactional domain". So if
=>wmich.edu is not a target for phishing, you may not even want to
=>advertise "discardable" as your policy. The
=>broken-signature-equals-lost-mail problem is only for those of us
=>advertising "discardable" (in ADSP or any other sort of arrangement.
Going a little off thread... I had a discussion with our anti-spam
vendor a few years ago when phishing started its rise. They offered a
phishing-alert program where they would notify us if phishing messages
abusing our domain were hitting their trap addresses. The program was
of no use to us because the only addresses that received phishing
messages with our domain were our own users. (Why would a phisher
send an e-mail as a wmich.edu identity to a <free-webmail-provider>?
If they did, what would they ask for?)
"Highly" lacks relative scale. :) No, we are not Paypal, Amazon, E-Bay,
BoA, but we do receive our share of messages to our user's that pretend
to be from us. I see kind of two versions of phishing. (I know everyone
on the list knows what phishing is so apologizes in advance.) The big
(volume by phished domain) one is were the "highly" valued domains
(Paypal, Amazon, E-Bay, BoA, etc) are being phished. These are e-mails
sent to just about every system that accepts e-mail. This is typically
what people think of when talking about phishing. The other much
smaller (volume per phished domain) version is where the domain being
impersonated is also the receiving domain. For those sites the second
type of phishing might be more important as it involves the security of
their own users. We (wmich.edu) fit into that second case most of the
time. Again, we are not phished in the first version as far as I know,
but we do send billing statement, enrollment reminders and other
transactional messages that could be used as phishing material and we
are just watching how best to keep those messages from becoming phishing
material in the future.
Since, we are nowhere close to being able to restrict incoming e-mail
from the Internet that is supposedly from us. (We have too many user's
still using their ISP's MSA, departments using ESPs that use our domain
in their RFC5321.From and other smaller issues we are working through.)
We don't want to use DKIM+ADSP today, tomorrow, or next week, but are
watching it for suitability in the future.
Enough of my rambling...back to the main thread.... :)
--
***********************************************************************
Derek Diget Office of Information Technology
Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/
***********************************************************************
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops