Charles Lindsey wrote:
On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
wrote:
As soon as banks start signing their messages and there are credible
whitelists for their domain names, doesn't this end the ability for
phishers to use those domain names in the rfc2822.From field?
I fail to see how "credible whilelists" are going to work. You cannot
expect all the millions of honest internet users to get into such
whitelists. Rather, it seems that what is suggested is that there
will exists whitelists of "respectable banks".
But how do you tell, automatically, that a message is from a "bank",
and therefore ought to be ignored if it is not whitelisted? Will
messages from banks routinely carry text or headers which say "this
message is from a bank, and is to be ignored if it is not
whitelisted". Naturally, phishers will not include such texts/headers
(or they will include them in a subtly altered form).
But you still have the problem of educating users to expect such
texts/headers, and educating them to do that is just as hard as
educating them to recognise present-day phishes (I expect most people
do, but enough people don't for the phishers to make a decent living,
it seems).
The problem here is actually twofold: the phished company side and the
user side. At present, there's absolutely no reason for companies with
big names
to limit their own use of lookalike domains. Which of course they use
with relish,
so even a diligent end user can't ever be sure. I'd claim that this
ambiguity must change
*before* any sort of education campaign can have any realistic chance of
working.
But there's no incentive for the companies to reign in their marketing arms
now. DKIM and especially DKIM+SSP may provide some incentive to do that
since they get to regain control of their brand names. It's unclear whether
it's enough incentive, but it's at least plausible especially given that
it's a
relatively low investment and that it appeals to their dislike of brand name
dilution.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html