ietf-asrg
[Top] [All Lists]

Re: [Asrg] misconception in SPF

2012-12-09 13:16:50
a forged email pass anyway

No antiforgery scheme can defend against fakes that only sort of match
the forgery target.  We call this the paypai problem.  The only
approach I can see that has any hope of success is to figure out some
way to mark real mail from a category of targets (banks, say) in a way
that bad guys can't fake.  

But this is specific to each target group.  The fact that mail from me
doesn't have a seal saying that it's from a bank doesn't mean that
it's forged or otherwise bad.


I think is a misunderstanding of a huge part of the operators

Is it? Have you evidence, even if it is only anecdotal, that such a 
misunderstanding exists?

I'm with Martijn.  Other than the test message you sent the other day,
I don't think I have ever seen a phish that used a subdomain of the
target.  Ever.

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg