On Apr 29, 2010, at 3:47 PM, Graham Murray wrote:
"McDowell, Brett" <bmcdowell(_at_)paypal(_dot_)com> writes:
Priority: it's more important to us that cyber criminals not be
systemically enabled to leverage MLM systems to bypass email
authentication flows and consumer protection policies designed to
block their attacks... the attacks that, if not for the MLM
intermediary, would have been blocked thanks to DKIM+ADSP and the
voluntary compliance to ADSP policies by certain ISP's/Mailbox
Providers.
Though is the fact that a mail arrives via an MLM not also a very strong
contra-indication of the validity of nearly all mail which would
constitute such an attack? Irrespective of any other factors, the mere
fact that it arrives via an MLM is an almost certain indication that any
mail which purports to tell you that you have won a lottery, been given
a bequest, have a problem with your account, need to contact a company
about some purchase or other problem etc, is almost 100% certain to be
either a phishing attack, a forgery or a scam. In almost all cases,
genuine mail sent via an MLM is not of the nature which requires such
authentication or falls within consumer protection polices.
That's a very reasonable position to take and it makes good common sense. But
I've been surprised by frighteningly common consumer behavior that flies in the
face of good common sense. But still, I think you have a point and we'd have
to turn to the experts on whether the data shows fraud caused by phishing
attacks that were delivered by mail lists. I don't know the answer to that
right now.
To take your postings here as an example. Mail from PayPal about
people's accounts, policy changes etc needs to be protected and pass
authentication. However, whether or not your postings here authenticate
as genuinely coming from PayPal is not really important and in no way
affects the validity of the points you make in your posts.
But here is where I must differ. For example, let's say we created a subdomain
that we used for all transactional mail and that was the only domain we
asserted "discardable" for. Well, we just handed the Phishers all of our other
domains and they would be more than happy to use those. The consumer doesn't
and really never will consistently discriminate between the mail we tell them
to trust vs. the mail we tell them not to trust... it's sad and frustrating,
but it's reality.
Even if you flipped the use case and asserted ADSP discardable for all domains
except one that you use for employees... like maybe corp.paypal.com. Well, you
just handed the Phishers corp.paypal.com.
We still have the cousin domain problem, as you all know. But we are trying to
reduce the threat surface as much as we can. I think a DKIM-for-MLM's spec
just might help reduce that threat surface a bit more.
BTW, I didn't join this list to become the center of attention :-) Aren't
there other heavily-phished senders on this list who can speak to these issues
and use cases?
-- Brett
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html