On May 28, 2010, at 12:28 AM, Steve Atkins wrote:
On May 27, 2010, at 9:15 PM, John Levine wrote:
On the other hand, John and Steve expect that the benefits PayPal is
seeing in thwarted phishing messages will be short-lived, as phishers
just change domain names, and send out just as many messages as
before, fooling just as many recipients into thinking they're from
PayPal.
Actually, that's Steve. John sees utility in manual drop lists, but
not in ADSP since there is no way to tell whether someone publishing
ADSP understands what it means. Recent experience suggests that they
often don't.
It's not really my view either. I do think that there's some risk of manual
drop lists becoming less effective, but I also think that it's more a risk
than a certainty, and it's something that may be resolved by a couple
of smart engineers - as it's a flexible approach that can
be modified in response to opponent behaviour in days or hours.
That flexibility (and lack of publication of the details) and direct
involvement of smart people in real time to maintain it are some of the
things that make the manual drop list approach much more viable
than a static, self-publication approach.
My problem with this position is that it seems to argue for proprietary one-off
solutions vs. Internet standards for email authentication policy assertions. I
would think that's a non-starter, especially for participants in this WG.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html