[ietf-dkim] on the scope and necessity of threat analysis
earl at earlhood.com
Sat Aug 13 17:37:53 PDT 2005
On August 13, 2005 at 16:56, Michael Thomas wrote:
> > If then only bad actors we were concerned about were phishers then I'd
> > agree. When we include spammers in the set of bad actors then the
> > situation becomes less clear. Making it slightly more difficult for
> > current bad actors to spam might well make spam considerably more
> > attractive for a much larger group of bad actors who don't mind
> > authenticating their spam.
> I'm sorry, but I do not see how this follows at all. Spammers are
> completely at liberty to identify themselves today. They don't
> have to forge their addresses, so why don't they join the fun
Because it is easier, and cheaper, not to.
The goal of authenticating messages is to increase the cost on
*specific methods* of spamming to either make it prohibitive, less
effective, and/or mitigate the damage caused (e.g. damage to reputation
of identity being forged).
At the same time, the method for authenticating messages should not
open up new methods for spammers to exploit.
Phishing is the "hot" thing now, but much of spam are not phishing
expeditions, so providing identity (usually with throw-away domains)
is no big deal.
With an authentication system in place, a phisher has to setup the
infrastructure to support authentication (an increased cost), while at
the same time, avoiding responsibility (e.g. using throw-away domains).
Direct forgery may not be allowed, but they may still have success with
"look-a-likes" (e.g. paypal.com vs paypa1.com).
Therefore, the increases in costs due to authentication may not be very
effective, but the cost savings in protecting legitimate identities
(with look-a-like attacks a possible acceptable, and unavoidable
risk) may be worth the effort as long new methods of exploits are
More information about the ietf-dkim