[mail-vet-discuss] Fwd: Re: Discussion of auth-header draft (fwd)

[Charles Lindsey]

On Fri, 10 Oct 2008 18:21:39 +0100, SM <sm at resistor.net> wrote:

> At 02:13 10-10-2008, Charles Lindsey wrote:
>> Which suggests a much simpler answer to the whole problem. The  
>> authserv-id
>> is chosen by the MTA. So you simply state that the authserv-id MUST NOT  
>> be
>> the domain name of the MTA as obtainable from the (any) MX record, or be
>> easily derivable from it. That is not to say it may not contain that
>> domain name, but it must also include some other "magic word" which  
>> could
>> not be guessed by the Bad Guys, but which could be hidden in the
>> documentation provided by that HTA to its end users.
>
> The "Bad Guys" could easily find out the authserv-id as a person can
> set up an account on the receiving domain to figure it out.

If the phisher is planning a phish of a million messages, addressed to
maybe 100,000 distinct domains, then he can hardly subscribe to 100,000
ISPs without getting noticed. Moreover, if he lets his botnet do the work,
then he has to get the inormation back from his botnet, which itself will
provide 100,000 fresh opportunities for the Good Guys to identify him.
Botnets only work so well because they require only one-way communication
  from the bot herder once they have been set up.



-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5