On Saturday 09 September 2006 15:12, John Levine wrote:
It seems to me you may be saying that a look-alike domain can be made
to look more authentic than the actual domain. Is that right? If
so, I'd like to understand that.
It doesn't have to look more authentic. It only has to look as
authentic. With SSP, everyone can publish equally authentic "PHISH
TARGET" notices.
I don't recall seeing anything about PHISH TARGET notices in Mike's
requirements draft, so I think you are arguing that the SSP you are arguing
against is a different one than the WG is working on.
I would call forcing phishers to switch from exact domains to
look-alikes progress.
Well, OK. Here's a small selection from a recent .COM zone file.
Let's pretend they all just sent you mail, and they all have valid
signatures and the most draconian SSP. Which one is really Paypal?
(One of them is.)
None of them are Paypal domains that have sent messages to me. I have no
idea. I don't think I'd trust any of them (even if one is real, I'd be
suspicious). This is, however, irrelevant.
The point is that none of them are paypal.com. I think it was PHB that said
that the advice being given for the last several years to financial
institutions was to use their main domain name for their transactional mail.
Claims that SSP is a meaningful anti-phishing tool are nuts.
I imagine it all revolves around the significance one places on blocking exact
domain forgery/phishes. If you don't think that's meaningful, then sure.
I think it's meaningful.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html