ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant

2008-05-27 08:22:19
from [John Levine] [Permanent Link] 
Man, this horse still isn't dead.


First of all, this is a gross mischaracterization of what was in the 
document.  It was NEVER a tree walk


It was a one level tree walk, but it's gone now, never to return, so that 
hardly matters.


Although I believe that there is at least one large vendor of network 
equipment whose DNS tree is very flat, that's not true in general, and 
there are plenty of large systems whose DNS tree is more than two 
levels deep.



That doesn't matter.  If there are more levels they are doubtless *orders* of 
magnitude less than the total number of host names.


Perhaps.  It sounds like you're saying that this is a problem that is very 
important to solve, but not so important as to be worth putting 
incrementally more effort into tool development.  That doesn't strike me 
as a very strong argument.


It's your-representative(_at_)unprotectedhostname(_dot_)bank(_dot_)com - 
where 
"your-representative" is actually your representative.  We can and should 
protect from that.


You're just reasserting the same implausible claim.  This is part of the 
lookalike problem, and no amount of ADSP will solve that.

ADSP might be of some use against exact name forgery, not lookalike 
forgery.

If the bank has ADSP for mail from joe(_dot_)smith(_at_)bigbank(_dot_)com, bad 
guys might 
send phishes from joe(_dot_)smith(_at_)www(_dot_)bigbank(_dot_)com, but they're 
at least as 
likely to phish from joe(_dot_)smith(_at_)bigbanque(_dot_)com or 
joe(_dot_)smith(_at_)bigbank(_dot_)rbn(_dot_)ru(_dot_) 
Name any large bank, and I will show you hundreds if not thousands of 
registered lookalike domains they don't control, along with quite a lot of 
lookalike domains they do control.  Nobody can tell from the outsde which 
lookalikes are legit, so the only reasonable response to phish forgery is 
to whitelist the small set of real addresses.

Any solution to the lookalike problem that purports to work by putting a 
black mark on all the lookalikes is doomed to failure.  I don't see any 
point in complicating ADSP to at best make it a little easier to put the 
black marks on a modest subset of the lookalikes.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] why we should clearly specify domain existence, Frank Ellermann
Next by Date:  Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant, Eliot Lear
Previous by Thread:  Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant, Eliot Lear
Next by Thread:  Re: [ietf-dkim] requirement for one ADSP record per DNS entry is irrelevant, Eliot Lear
Indexes:  [Date] [Thread] [Top] [All Lists]