On Saturday 09 September 2006 19:16, Wietse Venema wrote:
Hector Santos:
Just so you know, no one, atleast not me, has said that SSP or DKIM-BASE
itself will protect against near-domain style spoofing A.K.A phishing.
Actually, the discussion has demonstrated that SSP can't detect
look-alike phishing, while DKIM-BASE can.
Not without getting beyond the scope of the WG charter. DKIM-BASE certainly
gives a more reliable name basis for name based reputation and accept/reject
decisions. It does not, however, provide a complete mechanism for doing so
on it's own.
Another question I would have is how a message from a sender on the trusted
list that was received without a valid signature would be treated. Without
SSP to determine is the domain signs all mail, it would seem problematic to
either accept or reject such messages. It may be that SKIM-SSP would
complement such efforts.
This involves a list of trusted DKIM-BASE signing domains (*).
Given this list, potential look-alike or exact-name phishing attempts
stand out because their signing domain isn't in the trusted list.
Agreed, but this list is outside the scope of what I understand the WG was
chartered to do.
That list could be recipient maintained (a bit like the way SSH
asks for permission when it encounters an unknown hostkey). Or it
could be maintained externally.
I think that a list of trusted DKIM-BASE signing domains can go a
long way towards the elimination of look-alike and exact-name
forgeries.
Agreed, but that requires additional mechanism beyond what we are chartered to
do. I'd be interested to know if someone was working on an open solution to
this part of the problem.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html