ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] mail security

2009-01-21 06:08:15
from [Ian Eiloart] [Permanent Link] 


--On 21 January 2009 00:56:55 +0000 John Levine <johnl(_at_)taugh(_dot_)com> 
wrote:


Let's say you get a message from security(_at_)pay-pal(_dot_)com, which is 100%
DKIM, SPF, and Sender-ID approved. Is that Paypal? How can you tell
short of manually looking up WHOIS registrations?


Well, without all those technologies, it's simple to simply use paypal's
domain. Then there's no clue. Now, if you use a look-alike domain name,
then you're probably violating the trademark. That's illegal, ...


Uh, dude, we're talking about phishing here.  If that's not already
illegal in Australia, I think I've found a major recession-resistant
business opportunity.
Phishing illegal? I don't know about Australia, but I don't think there are specific anti-phishing laws in the UK. Certainly, fraud perpetrated with information gained by phishing is illegal. It's fraud. It could be argued that the Phishing attempt itself is a form of fraud, but probably only if you actually do something with the information gained.
My point about trademarks is that registering a domain that could be easily confused with a trademark is illegal. Therefore, it's reasonable to code phishing defences that rely in whole or in part on detecting sender address domains that are similar, but not identical, to trademarked domains.
This means that technical measures to protect a domain from precise forgery can be supplemented with technical measures to protect near matches to those domains. Thus mitigating (not eliminating) the problem.
[Whether it's legal or not, it is a business opportunity. It's probably not totally recession-resistant because recession probably reduces the gains to be had.] 




R's,
John

PS:


   Is there actually any point in trying to solve phishing issues by
verifying the origin of email if the customer is going to depend on
a known-insecure web-browser?


Maybe.  One of my bank accounts requires me to use a physical dongle
to generate a code number.  I expect in the future they'll give you a
USB dongle with a small screen and a couple of buttons so you do most
of your banking session on the computer, but when you hit go, the
dongle lights up with the details of the transaction the bank is about
to do and you have to push YES or NO on the dongle to confirm.  That
seems like it could be made reasonably secure.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg




--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] SPF, was where the message, Ian Eiloart
Next by Date:  Re: [Asrg] SPF, was where the message, Ian Eiloart
Previous by Thread:  Re: [Asrg] mail security, John Levine
Next by Thread:  Re: [Asrg] mail security, Ian Eiloart
Indexes:  [Date] [Thread] [Top] [All Lists]