spf-discuss
[Top] [All Lists]

anti-phishing

2004-07-14 12:24:47
On Wed, Jul 14, 2004 at 07:42:19PM +0100, Graham Murray wrote:
| 
| So, maybe complaints should be made to the financial service
| regulators (FSA in the UK, SEC? in USA) about banks etc who take no
| action about or seem uninterested in internet fraud. 
| 

If you go to sites like http://www.tecf.org/ and
http://www.antiphishing.org/ you will see that companies are
in fact very interested in doing something about the
phishing problem.  Especially the companies that are big
victims of phishing.

Unfortunately, many of these companies are bureaucracies.
Joining an industry group that is publicly committed to
solving the problem may be seen as sufficiently "doing
something".  Half a year ago I spoke with a high-level
executive at eBay and explained SPF to him in detail.  He
said he would look into it.  As far as I know they're still
working on it.

Those industry groups need a few months to actually develop
the courage to recommend SenderID to their members.  For
example, while the FTC report explicitly recommends SPF, the
ASTA paper doesn't identify either SPF or DomainKeys by
name.  These industry groups exist for the purpose of making
good recommendations.  None of them want to make the wrong
recommendation.  But because it is so important that they
not make any mistakes, they may take a very long time to
make any recommendation at all --- they may wait until the
choice is obvious, at which point it is safe to recommend
it.  That may leave some members of the industry groups
scratching their heads asking why they bothered to join in
the first place.  So they're in a tough situation.

During this process, executives at the companies are
blameless; because they're involved in the industry groups,
they are in fact actively "doing something".

This is why having Microsoft behind SenderID is a big help,
because they add legitimacy to the recommendations, and can
actually dictate a deployment timeline.

Also, having the ITU weigh in is another help.  Many
companies fear change, but they also fear government
regulation.  Many bureaucracies are so fearful of change
that they will do something that is clearly in their best
interest only if they're being forced to.  Companies that
are not fearful of change tend to become the leaders in
their industries.  If you look at the list of SPF early
adopters you'll quickly get a sense of the kind of corporate
culture that sets leaders apart from the rest of the pack.

And even when the decision has been made to go ahead,
actually implementing SenderID within the organization may
take another few months.  Big complicated companies have to
tread carefully if they don't want to screw things up.  It's
easy to set up SPF for a small ISP with a dozen mail
servers.  But a big company may have three mail servers in
each of two hundred different departments.  Setting up SPF
records for a company like that is a huge, huge project that
can go for six months or more.

At Pobox, we haven't even set our default to -all because
our users can send mail from all over the place.  They need
a way to configure per-user SPF records, and that education
effort is a very big burden.


<Prev in Thread] Current Thread [Next in Thread>