Mark Shewmaker <mark(_at_)primefactor(_dot_)com> writes:
If someone else can spoof trustworthy(_at_)trustworthy(_dot_)com, then I hope
my
reputation systems will assign a poor reputation to the trustworthy.com
domain, because any claims of anyone to be from there aren't, well,
trustworthy.
The fact that trustworthy(_at_)trustworthy(_dot_)com tells me to trust that a
message really comes from him if it comes through a specific IP still
doesn't mean I should trust such claims if I know that that specific IP
itself isn't trustworthy.
(Ie, if trustworthy is a friend of mine who I happen to trust 100%, and
he trusts a specific IP 100%, but I only trust it 10%, then I should
only trust messages from through that IP, where I can only authenticate
via that IP, by just 10%. Goofy wording, but you get the idea.)
This is an area where those most vulnerable to phishing or forging (eg
financial institutions, eBay, eCommerce sites etc) could help. If they
were to always send mail from their own (non-shared) servers, which
are identifiable as theirs in domain name, rnds and whois (on the IP
address), it would make it much easier for the recipient systems to
apply checks. If the PRA and reverse path say it comes from
accounts(_at_)bigbank(_dot_)com, the EHLO and rDNS of the connecting IP are
mailserver.bigbank.com then it is much easier to assign trust than
if the EHLO and rDNS are mailer3.outsourcingcompany.com. I have
received (genuine) emails from financial institutions and retailers
(who have both bricks and mortar and online sales) which have been
sent 'on their behalf' by public relations companies. I think using
third parties to send such emails is not helping at all in the fight
against phishing. So the solutions are not just technical, the senders
who want a good reputation will have to adopt safe procedures as
well.