ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion

2010-05-27 08:19:53
from [Michael Thomas] [Permanent Link] 
Since these are all rhetorical questions, let's cut to the chase:
do you believe John, who never believed in ADSP and has repeatedly said
that he hope it fails, and who has a microscopic amount of deployment
experience if any at all. Or do we believe Brett/paypal that ADSP is
providing benefit *today* in the form of 100's of millions of thwarted
phishes, and that ADSP is the only way he can get things to scale
beyond handshakes in the Valley.

Maybe I'm crazy, but I give cred to the guy with operational experience.

Mike

On 05/26/2010 11:05 PM, John Levine wrote:

I thought I had. Remember that business about 100 million phishing
attacks being blocked (DKIM alone would not have delivered that... it
was our policy assertion and the acceptance to act on that policy
assertion that made this happen)?


Right.  But then there is the utterly unwarranted leap to claiming
that has any connection to ADSP.  You published your policy by calling
up your friends at large ISPs, not by ADSP.  It is a fine idea to have
a manually maintained list of the handful of domains where there is an
operational benefit to throwing away unsigned mail.  I've configured
my spamassassin that way.


What do I need to show you guys before you accept that I have
demonstrated that ADSP provides operational benefit?


Something that uses ADSP, rather than a hand-configured list of
domains.

The key point that Steve and I keep hammering on is that ADSP does not
scale, because experience tells us that for every domain in Paypal's
situation, a phish target sending only* transaction mail, there will
be 100 or 1000 that think it's "more secure" and will publish
discardable even though they're not phish targets and there is real
unsigned mail with their return address.

The one data point we have about ADSP is the IETF list where the ADSP
led to bad results.  Does anyone have positive experience with ADSP?
I haven't seen any yet.

R's,
John

* - I am optimistically assuming that Paypal is in the process of
separating its transaction and individual mail streams so this will
be true.



_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] more on discardable, was Lists "BCP" draft, Scott Kitterman
Next by Date:  [ietf-dkim] bad mail blowback, Michael Thomas
Previous by Thread:  Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion, John Levine
Next by Thread:  Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion, Barry Leiba
Indexes:  [Date] [Thread] [Top] [All Lists]