On Wednesday 08 November 2006 11:16, John Levine wrote:
I think some site like a Bank, that is heavily phished, might go so far as
"I sign all mail. Please delete/reject/drop/whatever (perhaps even
silently) all messages that fail to verify".
Here's three cases:
a) paypal.com publishes that note. So far so good.
b) mismanaged-isp.com publishes that note, and blames you when their
users' poorly formatted mail disappears. Not so good.
c) paypal-payments.com publishes that note. I don't want their mail
whether they verify or not.
It seems to me that the likely number of domains in case a), real
institutions with serious phish problems, is far smaller than the
number of b) and c). I don't see how SSP can help me as a receiver
tell the useful info about a) domains from the useless info about b)
and c) domains. I expect that people will be using third party lists
of a)'s, which makes me ask what the point of self-publishing this is.
SSP can't slice toast either.
A is good.
B is not your fault. No matter what you do, poorly configured senders will
blame you. They do it now, so this is no different than today.
C is not the problem SSP is meant to solve.
So it sounds to me like everything is fine.
NOTE WELL: This list operates according to