Please explain. If a sender publishes a policy that says I sign all
mail and a receiver rejects, deletes, etc. all mail that isn't signed
by that sender, what is the phisher's transition path to work around
it?
He uses another domain in his return address, like Steve said. You
may carefully look at the return address in your mail, but most people
don't, and even if they do, bank marketing departments are unable to
resist the urge to invent a new domain for every new ad campaign so it
doesn't tell you much if you don't recoginize the domain. (Quick, who
is applyonlinenow.com?)
I already get a whole lot of phish for Paypal that doesn't have a
paypal.com return address, ditto for a lot of the bank phish I get. I
see no reason that is going to change.
If there were a way to look up a domain and get back a response that
tells you whether it's a bank, that would be useful. But SSP doesn't
do that.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html