On Fri, 2004-06-04 at 07:10, Daniel Taylor wrote:
Andy Bakun wrote:
> Exactly -- and in light of this, header field verification just ends up
> being a feel-good security measure. The real solution is education, and
> providing the tools to allow users to make more informed decisions.
Don't think of it as a lock, that is foolishness. Think of it as a
way to get the fingerprints of everyone who walks through the door.
Yeah, it isn't going to stop anyone on its own, but it gives
you a tool to decide to stop them, or to help track them down
if they do something wrong.
Personally, I like the idea of doing SPF verification, then
matching the Envelope FROM against the Sender: or From:. With
Spamassassin you could set a rule that causes mismatches to
be tagged as spam, which should be enough of a headsup for
any mail user to look more suspiciously at the message.
Yes, I agree. SPF verification is one of the tools in an arsenal of
weapons against phishing attacks. I think the most any tool can do is
help the user make a more informed choice. But informed choices can
only be made if people are actually willing to be informed and what the
tools mean when they emit a warning.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>