On Saturday 09 September 2006 14:35, John Levine wrote:
The best way to help end-users avoid getting phished it to not accept
phishing messages for delivery. DKIM-SSP where strict policy
statements are published offer a mechanism for this.
I get a message from security(_at_)ebay-verify(_dot_)com(_dot_) It has a
valid
signature. I check the SSP for ebay-verify.com, which says "MAJOR
PHISHING TARGET, ACCEPT ONLY WITH SIGNATURE." So I drop it into the
recipient's mailbox with a gold star on it.
What have we just accomplished?
A bad thing. Don't put the gold star on it. That would be a mistake.
I think we all agree it would be a mistake.
How does DKIM-SSP help us not to put the gold star on it? Someone
said that DKIM-SSP offers a mechanism to not accept phishing messages
for delivery.
For exact domain phishes, I think this is true.
If I get a message 2822.From a domain that has published an SSP record saying
that the domain signs all messages and the message does not have a valid
signature signed by that domain, then the message can be rejected.
Unless you are in the habit of putting gold stars on all messages that go into
the inbox, then you don't need any help to not put a gold star on it. The
part where you normally don't put a gold star on it, do that.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html