Andy Bakun wrote:
> On Thu, 2004-06-03 at 20:20, Michel Py wrote:
>
>>>This is a social problem though, and I'm not sure it
>>>has a valid technical solution.
>>
>>It does not. Some of the potential marks will not fall for it, but
>>remember that con-art is all about art: if the phishing web site looks
>>and feels like the real one, most of the marks that fall for the scheme
>>will fall even if they are little discrepancies. Web sites do change
>>often these days and we got used to this fact; the clever phisher has a
>>checking account with bigbank anyway just to capture logos and artwork
>>on the customer website. As long as the little yellow padlock is there,
>>Photoshop and JavaScript can do it.
>
>
> Exactly -- and in light of this, header field verification just ends up
> being a feel-good security measure. The real solution is education, and
> providing the tools to allow users to make more informed decisions.
Don't think of it as a lock, that is foolishness. Think of it as a
way to get the fingerprints of everyone who walks through the door.
Yeah, it isn't going to stop anyone on its own, but it gives
you a tool to decide to stop them, or to help track them down
if they do something wrong.
Personally, I like the idea of doing SPF verification, then
matching the Envelope FROM against the Sender: or From:. With
Spamassassin you could set a rule that causes mismatches to
be tagged as spam, which should be enough of a headsup for
any mail user to look more suspiciously at the message.