ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] SSP = FAILURE DETECTION

2006-09-11 11:27:12
from [Damon] [Permanent Link] 
On 9/11/06, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:


On Sep 11, 2006, at 8:04 AM, Thomas A. Fine wrote:

> With SSP, I can only receive mail that looks ALMOST like it is from
> one of my orgs.  This is huge.  This gives the user layer the
> ability to quickly, accurately, and precisely differentiate between
> fake and real messages.  That's what SSP accomplishes.

When a strong email-address policy assertion that disrupts the use of
common services might block exact spoofs.  SSP does not differentiate
"real" messages.

> As far as what happens in the user layer, no specification can
> control that.  We can certainly predict that a significant number
> of people will still fall for look-alike domains.

An association with a retrained email-address will curtail look-alike
attacks and clarify which messages are "real."  For this, the signing
domain must offer an assurance that the email-address is valid as well.

> But this is vastly different than people falling for the exact
> valid email address they were expecting.

Deploying just this mechanism will likely provide a minor impact upon
the spoofing success rate.  It may however have a major impact upon
the delivery rate of valid messages.

> What are we here for if we aren't here to fix that?

To offer a comprehensive solution that offers genuine protection
without impairing email delivery.

-Doug


My father used to tell me that locks were to keep honest people honest
and give those that wish to get through a dickens of a time doing it.
A lock will not ever stop someone who is determined to get through it.
In this case, I believe that it will give those that want to get
through SSP a whole new set of locks to bypass. There are only so many
look-alike domains compared to as it is now, being able to come from
anywhere. If we were able to just focus on look-alike's (as an admin)
it would make things a lot simpler. I believe that we ARE trying to
offer a comprehensive solution and outlined in exacting detail on just
how we are going to do it... which is a lot better than someone
suggesting Nirvana and no clear idea as to what someone means when
they suggest another comprehensive solution that offers genuine
protection without impairing email delivery.


Regards,
Damon Sauer
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] SSP = FAILURE DETECTION, Wietse Venema
Next by Date:  Re: [ietf-dkim] we don't know what SSP means, Jim Fenton
Previous by Thread:  Re: [ietf-dkim] Preventing spoofs without breaking SMTP, Hector Santos
Next by Thread:  Re: [ietf-dkim] SSP = FAILURE DETECTION, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]