ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] besides mailing lists...

2010-05-03 12:19:01
from [MH Michael Hammer (5304)] [Permanent Link] 

John gave one example but I personally don't think that is the best way
to do it.

This is no different than the issue that we at AG faced in 2007 with the
Storm Botnet heavily abusing our major brands. 

As long as we sent mail that used someone else's domains for the From
and the Mail From, we weren't in a position to participate in
authentication systems and efforts. I phrase it this way because (just
one example) many domains will not accept mail that claims to be from
their domain if it didn't originate from their own servers.  

So, using americangreetings.com, the Mail From and the From on our card
notifications is always ecards(_at_)americangreetings(_dot_)com(_dot_) The 
information
about the sender is provided in the subject line and the body of the
message so that the recipient knows who created the card. No enduser
personalization other than name and email address is provided in the
notification email so as to provide consistency in the emails. This
makes it easier for mailbox providers as well as recipients to evaluate
the card notification for validity.

Without going into detail about our click through rates and the overall
reduction in phishing/brand abuse, I will say that this works from both
a business and a security perspective.

I will say that many brand owners are unwilling to make changes to their
infrastructure to implement this approach (vs sending as the enduser
email or "on behalf of" the sender email) until their brand is abused.
It really is that simple. In many (most?) cases it requires changes to
back end systems and that takes resources. The other factor is that it
is not perceived as a problem until after it becomes a problem.

Mike



-----Original Message-----
From: McDowell, Brett [mailto:bmcdowell(_at_)paypal(_dot_)com]
Sent: Monday, May 03, 2010 11:54 AM
To: MH Michael Hammer (5304)
Cc: dcrocker(_at_)bbiw(_dot_)net; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] besides mailing lists...

On May 3, 2010, at 11:06 AM, MH Michael Hammer (5304) wrote:


And it is easy enough to do "F2F" in a manner that does not break

the

authentication-based service.


How?

-- Brett



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] ADSP discardable & discussion lists (was Re: Wrong Discussion - was Why mailing lists should strip DKIM signatures), J.D. Falk
Next by Date:  Re: [ietf-dkim] ADSP discardable & discussion lists (was Re: Wrong Discussion - was Why mailing lists should strip DKIM signatures), John Levine
Previous by Thread:  Re: [ietf-dkim] besides mailing lists..., John Levine
Next by Thread:  Re: [ietf-dkim] besides mailing lists..., Dave CROCKER
Indexes:  [Date] [Thread] [Top] [All Lists]