[ietf-dkim] SSP = FAILURE
Steve Atkins
steve at blighty.com
Sat Sep 9 11:35:19 PDT 2006
On Sep 9, 2006, at 10:40 AM, Scott Kitterman wrote:
> On Saturday 09 September 2006 13:26, John Levine wrote:
>>> The best way to help end-users avoid getting phished it to not
>>> accept
>>> phishing messages for delivery. DKIM-SSP where strict policy
>>> statements are published offer a mechanism for this.
>>
>> I get a message from security at ebay-verify.com. It has a valid
>> signature. I check the SSP for ebay-verify.com, which says "MAJOR
>> PHISHING TARGET, ACCEPT ONLY WITH SIGNATURE." So I drop it into the
>> recipient's mailbox with a gold star on it.
>>
>> What have we just accomplished?
>>
> A bad thing. Don't put the gold star on it. That would be a mistake.
That's right.
And, _within the framework we're discussing here_, it's equally
true for mail from any other domain.
I think that that quite strongly demonstrates that discussing
phishing and SSP at the same time is pretty pointless, as SSP
is all about self-declaration, and people who send phish emails
tend not to tell the truth.
Any value DKIM has w.r.t. phishing is to provide a strong proof
of the identity of the sender, allowing some external third
party to verify that it's really a bank / D&B certified business /
registrar / or what have you.
Cheers,
Steve
More information about the ietf-dkim
mailing list