[ietf-dkim] Review of DKIM Sender Signing Practices
mike at mtcc.com
Tue Dec 4 11:34:01 PST 2007
John L wrote:
>> This assumes that SSP tries to solve the lookalike domain problem.
> Can we review the last couple of messages, please?
> You said that a way to avoid making useless SSP lookups was only look up
> a domain if you've previously seen a signed message from it.
> I said, I get a bunch of messages purporting to be from a bank I've
> never seen before. This isn't lookalike, this uses the actual domain
> (in this case hsbc.co.uk) but since I've never seen any mail from them
> before, good or bad, I won't do the lookup and I'll never know that
> their SSP says they sign all their mail.
As it happens, lots of people around here have HSBC US accounts, the two
banks' branding is nearly identical, and it's not absurd to worry that
if someone put HSBC US account info into the HSBC UK phish, the bad guys
would be able to make use of it.
hsbc.co.uk != hsbc.com. That they have layer 8+ ties to one another
is not a problem SSP is trying to solve.
More information about the ietf-dkim