Then the phisher registers BANK0FAM3RICA.COM or something and
sends an SPF-passing, DomainKeys signed message that passes all checks and
the luser clicks on anyway.
Or, if these SUBMITTER/PRA/SRS-type proposals keep going forward, they send
MAIL-FROM: <trustme(_at_)bankofamerica(_dot_)com>, SUBMITTER
<phisher(_at_)BANK0FAM3RICA(_dot_)COM>. From: "Bank of America"
<trustme(_at_)bankofamerica(_dot_)com>, and not only does the luser click on
it, but
bankofamerica.com has to deal with the bounce scatter.
Nothing can protect users from a complete lack of security clue.
I would really like to see more of a focus on end-end MAIL-FROM validation
without re-writing, since that now seems possible. Bounce scatter and
envelope forgery are things we can address. Effectively preventing phishing
is not. If we can get end-end MAIL-FROM validation, end-node MTA's can
enforce Sender: == MAIL-FROM: or even rewrite From: == MAIL-FROM if they
want to display something real to the end-user.
On Tue, Sep 28, 2004 at 07:13:54AM -0400, Carl Hutzler wrote:
I agree. What's the point of SenderID, DomainKeys and others that check the
822 FROM when the phishers can EASILY do this.
On AOL clients (8.0, 9.0, etc) we DO NOT display the display name. We only
show the real email address. I hope this never changes.
-Carl
On 9/28/04 3:00 AM, "Roger Moser"
<Roger(_dot_)Moser(_at_)rama(_dot_)pamho(_dot_)net> wrote:
I wrote:
To see how useless this is, copy following message into the file test.eml
and open it with Microsoft's Outlook Express
------snip-------
From: "support(_at_)bankofamerica(_dot_)com" <phish(_at_)phisher(_dot_)com>
To: you(_at_)example(_dot_)com
Subject: Account verification
MIME-Version: 1.0
Content-Type: text/html
<html><body>
Click here:
<a href="http://www.phisher.com";>https://www.bankofamerica.com</a>
</body></html>
------snip-------
For those who don't have Outlook, this is what Outlook Express displays:
From: support(_at_)bankofamerica(_dot_)com
Date: Tuesday, September 28, 2004 9:53 AM
To: you(_at_)example(_dot_)com
Subject: Account verification
Click here: https://www.bankofamerica.com
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
--
Carl Hutzler
Director, AntiSpam Operations
America Online Mail Operations
cdhutzler(_at_)aol(_dot_)com
703.265.5521 work
703.915.6862 cell
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
--
"If a nation values anything more than freedom, it will lose its freedom;
and the irony of it is that if it is comfort or money that it values more,
it will lose that too." -- Somerset Maugham, Author