[Top] [All Lists]

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-10 04:49:01
On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> 

As soon as banks start signing their messages and there are credible whitelists for their domain names, doesn't this end the ability for phishers to use those domain names in the rfc2822.From field?

I fail to see how "credible whilelists" are going to work. You cannot expect all the millions of honest internet users to get into such whitelists. Rather, it seems that what is suggested is that there will exists whitelists of "respectable banks".

But how do you tell, automatically, that a message is from a "bank", and therefore ought to be ignored if it is not whitelisted? Will messages from banks routinely carry text or headers which say "this message is from a bank, and is to be ignored if it is not whitelisted". Naturally, phishers will not include such texts/headers (or they will include them in a subtly altered form).

But you still have the problem of educating users to expect such texts/headers, and educating them to do that is just as hard as educating them to recognise present-day phishes (I expect most people do, but enough people don't for the phishers to make a decent living, it seems).

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131     Web:
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
NOTE WELL: This list operates according to

<Prev in Thread] Current Thread [Next in Thread>