Let's say you get a message from security(_at_)pay-pal(_dot_)com, which is
100%
DKIM, SPF, and Sender-ID approved. Is that Paypal? How can you tell
short of manually looking up WHOIS registrations?
Well, without all those technologies, it's simple to simply use paypal's
domain. Then there's no clue. Now, if you use a look-alike domain name,
then you're probably violating the trademark. That's illegal, ...
Uh, dude, we're talking about phishing here. If that's not already
illegal in Australia, I think I've found a major recession-resistant
business opportunity.
R's,
John
PS:
Is there actually any point in trying to solve phishing issues by
verifying the origin of email if the customer is going to depend on
a known-insecure web-browser?
Maybe. One of my bank accounts requires me to use a physical dongle
to generate a code number. I expect in the future they'll give you a
USB dongle with a small screen and a couple of buttons so you do most
of your banking session on the computer, but when you hit go, the
dongle lights up with the details of the transaction the bank is about
to do and you have to push YES or NO on the dongle to confirm. That
seems like it could be made reasonably secure.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg