ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Collection of use cases for SSP requirements

2006-11-10 08:23:04
from [Michael Thomas] [Permanent Link] 
Charles Lindsey wrote:
On Thu, 09 Nov 2006 15:40:37 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
As soon as banks start signing their messages and there are credible whitelists for their domain names, doesn't this end the ability for phishers to use those domain names in the rfc2822.From field?
I fail to see how "credible whilelists" are going to work. You cannot expect all the millions of honest internet users to get into such whitelists. Rather, it seems that what is suggested is that there will exists whitelists of "respectable banks".
But how do you tell, automatically, that a message is from a "bank", and therefore ought to be ignored if it is not whitelisted? Will messages from banks routinely carry text or headers which say "this message is from a bank, and is to be ignored if it is not whitelisted". Naturally, phishers will not include such texts/headers (or they will include them in a subtly altered form).
But you still have the problem of educating users to expect such texts/headers, and educating them to do that is just as hard as educating them to recognise present-day phishes (I expect most people do, but enough people don't for the phishers to make a decent living, it seems). 

The problem here is actually twofold: the phished company side and the
user side. At present, there's absolutely no reason for companies with big names to limit their own use of lookalike domains. Which of course they use with relish, so even a diligent end user can't ever be sure. I'd claim that this ambiguity must change *before* any sort of education campaign can have any realistic chance of working. 

But there's no incentive for the companies to reign in their marketing arms
now. DKIM and especially DKIM+SSP may provide some incentive to do that
since they get to regain control of their brand names. It's unclear whether
it's enough incentive, but it's at least plausible especially given that it's a 
relatively low investment and that it appeals to their dislike of brand name
dilution.

      Mike
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Collection of use cases for SSP requirements, Charles Lindsey
Next by Date:  Re: [ietf-dkim] New Issue: Applicability of SSP to subdomains, Michael Thomas
Previous by Thread:  Re: [ietf-dkim] Collection of use cases for SSP requirements, Charles Lindsey
Next by Thread:  Re: [ietf-dkim] Collection of use cases for SSP requirements, Powers, Jot
Indexes:  [Date] [Thread] [Top] [All Lists]