There is a trivial mechanism that can cut down SSP lookups to almost
nothing: don't query domains from which you've never received a valid
DKIM signature.
My network gets tons of fake mail from HSBC UK and no real mail from
them since none of my North American users have an account there. How
would I be able to tell that it should have been signed?
If nobody cares about HSBC UK, why should you?
Uh, because SSP is supposed to be able to help me tell that it's a phish?
I can't believe you're saying that I should just deliver phishes if I
don't think anyone's likely to fall for them, but it's hard to assign a
different meaning to your question.
As it happens, lots of people around here have HSBC US accounts, the two
banks' branding is nearly identical, and it's not absurd to worry that if
someone put HSBC US account info into the HSBC UK phish, the bad guys
would be able to make use of it.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html