Well, I think the idea is that SPF and/or Sender ID significantly raise the
bar in terms of how difficult it is to spoof sender's identity. Today, just
about anyone can send a spoofed message by changing some settings in their
email client application. If tomorrow, it becomes necessary to spoof a TCP
session to do the same thing, I think that's significant progress.
If you really want to trust that the contents of a email message was
authored by the person who claims to be the author, you need to use a
digital signature based authentication mechanism (e.g. S/MIME). Many
financial institutions and online retailers are considering that option
together with other authentication and anti-spam/anti-phishing strategies.
Daryl Odnert
Tumbleweed Communications
Redwood City, California
-----Original Message-----
From: Bill McInnis [mailto:bill(_dot_)mcinnis(_at_)messagelevel(_dot_)com]
Sent: Friday, July 30, 2004 4:50 PM
To: 'Daryl Odnert'; IETF MARID WG
Subject: RE: How would SPF or Sender Id caught this one?
Thanks for the reply,
I read that and that was my understanding as well. So does this make it a
solution that works fine for mailing lists, but not for financial
institutions, online retailers, and pretty much anyone transacting dollars
online?
The example was not made up. We are seeing that scenario more and more
where I am sitting.
Bill McInnis
MessageLevel.com
-----Original Message-----
From: Daryl Odnert [mailto:daryl(_dot_)odnert(_at_)tumbleweed(_dot_)com]
Sent: Friday, July 30, 2004 7:44 PM
To: Bill Mcinnis; IETF MARID WG
Subject: RE: How would SPF or Sender Id caught this one?
How would SPF or Sender ID have managed to catch that attack?
I think the answer is: they cannot. If the phisher successfully
spoofed the an SMTP over TCP session, there is nothing that SPF
or Sender ID can do about that.
You might want to look at section 6.2 of draft-ietf-marid-core-02.txt.
Regards,
Daryl Odnert
Tumbleweed Communications
Redwood City, California