On Saturday 09 September 2006 15:12, John Levine wrote: > >It seems to me you may be saying that a look-alike domain can be made > >to look more authentic than the actual domain. Is that right? If > >so, I'd like to understand that. > > It doesn't have to look more authentic. It only has to look as > authentic. With SSP, everyone can publish equally authentic "PHISH > TARGET" notices. > I don't recall seeing anything about PHISH TARGET notices in Mike's requirements draft, so I think you are arguing that the SSP you are arguing against is a different one than the WG is working on.
> >I would call forcing phishers to switch from exact domains to > >look-alikes progress. > > Well, OK. Here's a small selection from a recent .COM zone file. > Let's pretend they all just sent you mail, and they all have valid > signatures and the most draconian SSP. Which one is really Paypal? > (One of them is.) None of them are Paypal domains that have sent messages to me. I have no idea. I don't think I'd trust any of them (even if one is real, I'd be suspicious). This is, however, irrelevant. The point is that none of them are paypal.com. I think it was PHB that said that the advice being given for the last several years to financial institutions was to use their main domain name for their transactional mail. > > Claims that SSP is a meaningful anti-phishing tool are nuts. I imagine it all revolves around the significance one places on blocking exact domain forgery/phishes. If you don't think that's meaningful, then sure. I think it's meaningful. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
