On Apr 29, 2008, at 8:49 AM, Al Iverson wrote:
On Tue, Apr 29, 2008 at 11:30 AM, John Levine <johnl(_at_)iecc(_dot_)com>
wrote:
Also, keep in mind that if despite the fact that it doesn't matter,
you really really REALLY want full ADSP coverage on every possible
subdomain, you can always hire someone to write a specialized DNS
server to provide it for you, which I think would cover Yahoo and
Microsoft. The question is what needs to happen in the general case.
I think I'm not the only one making assumptions here.
Let me know if this is going to chill a bit and if there are
opportunities to better understand each other. Or if we're just to
the rock throwing stage, I'll step back, because I'm busy and I
don't see the need.
Phishing attempts may only copy appearance and display names.
Unfortunately, the email-address used could be anything. To better
overcome look-alike attacks, ADSP ALL should enable stricter criteria
for appearance matches by anti-phish filtering.
Possible counter responses to ADSP:
Of course, any hostname within a phished domain could be mistaken for
valid non-signing sources, however those lacking MX or A records might
be excluded on that basis. Names with underscores such as _adsp, are
precluded from being valid hostnames by RFC2821, or RFC2821bis as well.
Depending upon bad-actor's reaction to ADSP, domains heavily phished
_may_ find it beneficial to publish ADSP in conjunction with their
public hostnames. Even so, it seems wholly inappropriate to
facilitate ADSP publishing by imposing a series of DNS transactions
that will occur with _each_ and _every_ email within _any_ domain.
These additional transactions may potentially impact otherwise
uninvolved domains with significant levels of undesired traffic due to
the distributed nature of email.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html