ietf-asrg
[Top] [All Lists]

Re: [Asrg] Round 2 of the DNSBL BCP - "collateral damage"

2008-04-04 14:25:45

On Apr 4, 2008, at 1:04 PM, Steve Atkins wrote:

On Apr 4, 2008, at 12:57 PM, Douglas Otis wrote:

On Apr 4, 2008, at 12:28 PM, Seth wrote:

Rich Kulawiec <rsk(_at_)gsp(_dot_)org> wrote:

For domains I trust (including all banks I do business with), I  
use SPF to allow stuff they send me to bypass spam filters.  That  
enables those filters to be much stronger for stuff that looks  
like bank messages.

How would you suggest a spammer can render that moot?

Look-alike, cousin domains, and display names.

Are you not clear on how domain-name based whitelisting works?

If you want to whitelist mail that "comes from" example.com's  
mailservers there are at least two ways of doing that.

One is to explicitly whitelist mail that comes from the IP addresses  
of example.com's mailservers. That works fine, but requires each  
receiving ISP to maintain those lists of IP addresses.

The other is to allow the owner of example.com to publish the IP  
addresses of those mailservers, and for all the receiving ISPs to  
use that list of IP addresses in order to whitelist email coming  
from example.com's mailservers.
SPF is one way to do that. This will whitelist exactly the same set  
of mail as the first approach, just with less management overhead  
and less risk of fat-fingering data.

So, please explain how "Look-alike, cousin domains, and display  
names" will render that moot.

SPF does not deal with what a person sees, although filtering rules  
may attempt to extend checking to PRAs or Froms, but of course that is  
not SPF.  Of course, such extensions are not fool proof either. This  
is made more dangerous when many recipients see just the display name.

People and filters are easily fooled.  White-listing may bypass  
filtering rules matching against possible phish.  Whether this works  
depends upon bad-actors cooperating and not defeating this  
protection.  A person can be convinced in subtle ways a message is  
from an entity that it is not.  We do a significant amount of phish  
filtering, however this process _must_ deal with images and other  
details related to what may catch a person's eye.  This goes back to  
the first sentence, people and filters are easily fooled.  Distinctive  
annotations are needed, but such annotations may also be spoofed and  
make the recipient more prone.  One of the greatest risks currently  
leading people astray is spoofed email from one of their buddies  
listed within their social network.  Someone pretends to be someone  
you know, and offers a link to something "interesting".

-Doug


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>