----- Original Message -----
From: "Ryan Malayter" <rmalayter(_at_)bai(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Cc: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, September 30, 2004 2:09 PM
Subject: RE: [spf-discuss] The pretty name
minor problem that is already addressed in other ways.
I think the banking industry would think phishing is more than a "small
problem". Hundreds of millions of dollars per year are lost to phishing
attacks. I would say drastic measures are called for. And this problem
is NOT already addressed in other ways.
Why doesn't CITIBANK.COM and others with the problem add an SPF record?
Doesn't seem like Citibank.com is really interested in doing what it can to
help address it. By doing so, if we have any citibank users on our system
and others with SPF support, they are protected.
But something needs to be done to authenticate what the
user sees in the MUA. What I suggest seems to me a heavy-handed but
quick fix until a better solution is available.
But it isn't even a fix. If it was don't you think it would of been done?
So I ask again - and please provide some examples this time if you
choose to respond - what critical email delivery functions would
rewriting the 2822.from at edge MTAs break? The 2822.from header is only
an "informational" header, and has no effect on message delivery, right?
First, No, 2822.From is part the reply address logic if Reply-To is not
present.
Second, SMTP systems is forbidden from modifying the payload. Screwing
around with the headers is borderline unethical and runs the risk of
violating some US ECPA provisions. You got product liability issue to deal
with and I would not promote such concepts. Today 2822.From. Tomorrow, what
else? The Subject Line? The Body? I would not promote such ideas. It is
very dangerous.
In any case, think "integrity" authentication. The problem with
"researchers" is that they don't want to use a use a callback mechanism to
validate authenticate the mail. Instead, they want to use a 3rd party.
But in my view, the ideal solution is a callback concept that authenticates
the transaction against the original domain submission site.
Sincerely,
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com