"Ryan Malayter" <rmalayter(_at_)bai(_dot_)org> writes:
For what it's worth, there have been - and will continue to be - a lot
of sessions about combating phishing and other electronic payment fraud
at these conferences. I do not know if SPF or SenderID have been
discussed specifically in past sessions, but the phishing problem is
very much on the management radar at banks.
You might like to very tactfully point out to the management that,
especially before MUAs routinely display the Sender-ID PRA or the
result of other MTA checks, some of their current business practices
do nothing to help fight phishing. In particular the use of third
parties (eg Public Relations, Advertising and Marketing agencies) to
send email on their behalf. If the bank sends legitimate emails which
come from a third party and which claim to have been sent on behalf of
the bank (or other organisation) then it is much harder for the
recipient of an email claiming to be from to the bank to determine
whether it has genuinely been sent on behalf of the bank or is a
forgery. If organisations ensured that all email correspondence is
actually shown (in 2821 MAIL FROM and EHLO, and 2822 From) to come
from the organisation then this would help phishing detection both
before and after SFP or Sender-ID is introduced. While technical
measures are needed to fight email forgery, I think that some business
practices could also do with examination.