John L wrote:
[ corrected example ]
From: visa(_at_)visasecurity(_dot_)net (Visa Security), security(_at_)paypal(_dot_)com
(Paypal Security)
Sender: anyone(_at_)anywhere(_dot_)org
Subject: An Urgent Message from Your Friends at Paypal and Visa
But yes, if it is registered as a throwaway and doesn't publish SSP,
it will be SSP compliant (not Suspicious), presuming some DNS record
for the domain exists (at least an NS record or something).
Hopefully Visa has engaged the use of a domain registration
monitoring service to protect against this.
As I think has been hashed out before, it's utterly impossible to keep
people from creating lookalike domains. A couple of days ago, I made
the lists below of several thousand .COM domains that do and do not
belong to the Bank of America. These are just in .COM; I didn't
bother to look in .NET or .ORG or .BIZ or .INFO or any of the hundreds
of ccTLDs.
We all knew already that SSP doesn't do anything about phishing from
lookalike domains. But the first From: address rule means that SSP is
also trivially defeated for mail with the exact domain in the From: line.
The alternative, then, is to lookup SSP based on all domains that appear
in the From: line? If that is what you're proposing, let's discuss it.
The alternative that is on the table (use of Sender), however, means
that SSP is also trivially defeated through the use of a domain that
isn't on the From: line at all.
Yes, the lookalike domain thing has been hashed out before, from the
chartering of this WG, and in fact you own examp1e.com as a "souvenir"
of one such discussion. I don't know why we can't move past that.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html