--On 30 October 2008 11:31:13 -0700 Jeroen van Aart <[EMAIL PROTECTED]> wrote:
> neil wrote: >> I have tried in the past to contact banks and ask about SPF, DKIM etc, >> but I have had no reply. > > Rightfully so. I wouldn't trust a bank who'd just comply to the whims of > an individual emailing them about this or that random questionable > feature. > >> Yes I know that SPF etc breaks stuff <cue furious debate about >> forwarding>, but I would have though that in the few cases where people >> set up deliberate forwarding they could whitelist, versus the millions >> of phishing mails sent each day. It doesn't break anything. Email is already fundamentally broken, if you care even the slightest bit about security. > > Do you honestly believe that SPF or whatever is the newest fancy useless > feature will prevent phishing even a tiny bit? Absolutely, but it has to be combined with user friendly tools to help people understand where something came from. > I don't. SPF doesn't just > break forwarding but can actually promote spam Only if people confuse SPF pass with reputation. It (or something similar) is a pre-requisite for useful reputation systems. The only reputation we can currently assign is to IP addresses, and that might be useful for blocking some bad stuff, but what banks and their customers need is a way to say "yes, this really did come from your bank". The best we can do at the moment is say "This IP address has (or hasn't) been a spam emitter in the past", and that's not what we care about. Banks can, and should, let their customers know which domains they're going to use for email. Email clients ought to offer a facility to not just whitelist their bank's domain, but to verify the email source. > and spammers appear to > have adopted it quickly: Doesn't matter. An spf match is meaningless in the absence of information about the domain reputation. > http://www.theregister.co.uk/2004/09/03/email_authentication_spam/ That report actually says "SPF ... might be useful in curtailing spoofing and phishing attacks" > > Greetings, > Jeroen -- Ian Eiloart IT Services, University of Sussex x3148 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
