ietf-asrg
[Top] [All Lists]

Re: [Asrg] Economic model is borken. (sic.) Let's fix it

2003-03-06 23:08:20
At 3:51 PM -0800 3/6/03, Nate W wrote:
 > The other problem with challenge/response systems is that there's a
 missing link in the interface.

 I go to a web site and purchase something.  They send me an email
 receipt.  How exactly are they going to automatically get through my
 challenge response?

Sometimes I whitelist the domain beforehand, most times I just check the
'holding pen' folder for a message from the merchant some time later.

The question is not how we do it. But how someone's grandmother is going to do it. There is no interface. It's an error-prone and manual process. It also completely fails when a company changes it's name, or when the primary domain is not the same as the particular store you shopped at.

One can certainly imagine standards to deal with this problem. Browser plugins, special URLs....

But fundamentally whitelisting fails without authentication.

In fact, I just got one such. A social engineering paypal theft scam. Mail from Canada, with a form that submits to Rusia, which then sends the email to Florida. Fortunately it fails a trivial header check.

Return-Path: <2et8t2n(_at_)linenoise(_dot_)net>
Received: from 24.222.182.119 ([24.222.182.119] verified)
  by somewhere.com (CommuniGate Pro SMTP 3.5.7)
  with SMTP id 2086244 for xxxx; Thu, 06 Mar 2003 17:08:43 -0500
Date: Thu, 06 Mar 2003 18:19:51 -0600
From: info(_at_)paypal(_dot_)com
To: xxx
Subject: Your PayPal account is Limited.
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
Message-ID: 3372C50E-CC148FC-1695607-1D543072-4C9F48EE(_at_)paypal(_dot_)com


--
Kee Hinckley
http://www.puremessaging.com/        Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>