On 05/27/2010 07:05 AM, Barry Leiba wrote: >> do you believe John, who never believed in ADSP and has repeatedly said >> that he hope it fails, and who has a microscopic amount of deployment >> experience if any at all. Or do we believe Brett/paypal that ADSP is >> providing benefit *today* in the form of 100's of millions of thwarted >> phishes, and that ADSP is the only way he can get things to scale >> beyond handshakes in the Valley. > > Indeed. Only, I think it's a little more complicated than that. > > PayPal has good experience with independent arrangements that behave > like ADSP, and they expect it to translate to good and broader > experience with ADSP. On the other hand, they have some bad > experience with ADSP, which they expect to meliorate with a change > that Brett hasn't described yet. > > On the other hand, John and Steve expect that the benefits PayPal is > seeing in thwarted phishing messages will be short-lived, as phishers > just change domain names, and send out just as many messages as > before, fooling just as many recipients into thinking they're from > PayPal. > > We will certainly need data collected over time to determine whether > there's any long-term reduction in unblocked phishing messages as a > result of ADSP. I'm eager to get that data. We'll also need some > analysis of whether (and why) PayPal sees some real value in ensuring > that successful "PayPal" phishing messages do not actually have > "paypal.com" in the "from" field. I'm eager to see that, too.
The problem with the cross examination that John and Steve are trying to perform is that the witnesses are under no obligation to respond. And, quite reasonably, they don't. I have absolutely no doubt in my mind that paypal, for example, has a huge amount of infrastructure and practical knowledge about the lookalike domain problem. I'm also completely unsurprised that they aren't leaping out into the fray in a public forum to tell us how they deal with it, and how exactly ADSP fits into their plans. I am happy that they have told us that ADSP is instrumental to their plans even if out of necessity they need to leave it at face value. I'm sorry that John and Steve aren't satisfied with a company keeping their secret sauce... secret, but that's just how these things work. Especially for security procedures. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
