ietf-asrg
[Top] [All Lists]

Re: [Asrg] Microsoft takes over British Telecom

2011-10-23 20:37:15

On Oct 23, 2011, at 5:19 PM, Paul Smith wrote:

On 23/10/2011 22:43, Steve Atkins wrote:

(I did some back of the envelope testing of ADSP as an anti-phishing / 
anti=spoofing measure, and based on my inbox it was worse than flipping a 
coin for each email, based on both false positives and false negatives).

Is that just because it's poorly configured in many places? If so, then 
rejecting any failed messages will surely, over time, increase the 
effectiveness as people fix their configurations. Accepting them anyway will 
just keep the bad configurations in place. (i.e. 'Tough love')

That was based on modeled "perfect" ADSP-compliant behaviour by the recipient, 
and actual observed behaviour by paypal and phishers going after their brands. 
Paypal are the main folks backing ADSP, so if they can't get it right, nobody 
can. 

The change I saw them make in response to these problems was to have their 
employees use a domain other than paypal.com for paypal corporate email. That 
improved the false positives (in much the same way sending your email via 
Hotmail will prevent false positives based on your domains misconfiguration, 
which isn't really fixing the problem). It had no effect on the false negatives.

Big mail providers are happy rejecting mail for any and all spurious reasons, 
why can't others be willing to reject mail for badly configured senders?

That's an entirely different issue - they, like all responsible email 
providers, want to deliver email their users want.

Cheers,
  Steve

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg