[ietf-dkim] list vs contributor signatures, was Wrong Discussion
steve at wordtothewise.com
Thu May 27 21:28:45 PDT 2010
On May 27, 2010, at 9:15 PM, John Levine wrote:
>> On the other hand, John and Steve expect that the benefits PayPal is
>> seeing in thwarted phishing messages will be short-lived, as phishers
>> just change domain names, and send out just as many messages as
>> before, fooling just as many recipients into thinking they're from
> Actually, that's Steve. John sees utility in manual drop lists, but
> not in ADSP since there is no way to tell whether someone publishing
> ADSP understands what it means. Recent experience suggests that they
> often don't.
It's not really my view either. I do think that there's some risk of manual
drop lists becoming less effective, but I also think that it's more a risk
than a certainty, and it's something that may be resolved by a couple
of smart engineers - as it's a flexible approach that can
be modified in response to opponent behaviour in days or hours.
That flexibility (and lack of publication of the details) and direct
involvement of smart people in real time to maintain it are some of the
things that make the manual drop list approach much more viable
than a static, self-publication approach.
More information about the ietf-dkim