On May 26, 2010, at 12:46 PM, Brett McDowell wrote: >> >> Paypal is claiming an operational benefit, but haven't actually >> demonstrated that ADSP either provides that benefit, nor that >> those benefits can't be provided in a significantly cheaper manner. > > I thought I had. Remember that business about 100 million phishing attacks > being blocked (DKIM alone would not have delivered that... it was our policy > assertion and the acceptance to act on that policy assertion that made this > happen)?
Should ADSP be deployed widely, and it were to be used by PayPal, then any of the smarter phishers would not continue to send mail that would not be delivered. They would continue to send phish email, of course, just not of a form that would be blocked by ADSP. At best this would cause the badly done phishing emails to be blocked while allowing the ones sent by smarter criminals to be delivered. Given that, it's not something that will provide any benefit once ADSP is deployed - maybe just the opposite, as it will effectively neuter the approach you're currently using. You may win the battle of preventing use of the string "paypal.com" in the non-displayed part of the From: field, yet lose the war of protecting your users from phishers. > What do I need to show you guys before you accept that I have demonstrated > that ADSP provides operational benefit? You need to go beyond "We do this" to "We do this, and our opponents will respond with that, and we will respond with the other ...". This isn't a protocol that's used solely between honest peers, it's something that is solely for thwarting bad guys in a hostile environment. There are clearly approaches that can be build on top of DKIM that would be extremely effective in that environment. There's no data so far to suggest that ADSP is one of them. (ADSP could provide benefits when combined with something like certification or whitelisting - but in those cases you can skip the publication of ADSP records altogether, and apply the certification or whitelisting results directly, based on DKIM authentication). And every bit of ISP or sender resources or mindshare that is consumed by ADSP is focus that's not expended on approaches that are likely to be more effective, both immediately and longer term. Something corresponding to extended validation SSL certificates, perhaps. Cheers, Steve _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
