(disregard previous, I did miss this message Steve... I have the context now... a few comments below)
On May 27, 2010, at 5:22 PM, Steve Atkins wrote: > > On May 27, 2010, at 12:46 PM, Brett McDowell wrote: > >> On May 26, 2010, at 11:28 PM, Steve Atkins wrote: >> >>> I'm pretty sure that ADSP as-is is a bad tool to solve any particular >>> problem. >>> But given it's not being proposed to solve any concrete problem, it's >>> hard to discuss whether there's a better solution. >>> >> >> Are you deliberately ignoring the data I provided... at your request for >> data? > > Not at all. It's interesting, but it's only marginally related to ADSP. > > You're taking data based on a private relationship at a small number of > consumer ISPs, for a very specific subset of mail and using that as > data to directly support a protocol based on self-publication by a large > number of different parties that would be acted upon by more than > just a couple of consumer freemail providers. (If that weren't the > case, there'd be no point in standardising a self-publication approach > such as ADSP). > > Additionally, the data you've provided that I've seen isn't that useful > as it only provides one of the four useful numbers in the legitimate vs > phish, rejected by ADSP vs not rejected matrix. > > To give you a bit more idea of what I mean by that, I've pulled some > data out of my mailbox, looking at emails that were both legitimate paypal > mail, and which were clear phish emails targeting paypal. For each of > those I worked out whether it would have been accepted or rejected > based solely on ADSP dkim=discardable if they'd been signed when sent. > > I'll write up the methodology in a little more detail, but out of my sample > the initial data is: > > Legitimate email from paypal: > > 72% rejected by ADSP > 28% not rejected > > Phishing emails using "paypal" in the From line: > > 39% rejected by ADSP > 61% rejected. > > This is based on mail to my mailbox, but other than that it's a pretty > fair sample, if anything it's fairly heavily skewed towards phish emails > that would be rejected by ADSP (as it's based on emails with the string > paypal in the From: line, which includes all phish mail that would be > rejected, > but excludes quite a lot of phish mail that wouldn't be). > > It's a small sample, but that means I've been able to identify and confirm > manually the status of each email. (It does ignore the fact that Paypal > acquires an awful lot of lookalike domains, partly because that's something > it's hard to analyze after the fact but mostly because "buy every domain in > every TLD that has my company name in it" is not a behaviour that scales > at all.) > > It's also based on sender behaviour before there's significant actual > filtering via ADSP. I would expect less mail, both legitimate and > illegitimate, > to be rejected by ADSP as time went on. > > That's real data, not theory, for the current state of the paypal related > mailstream as I personally see it. I think I can extrapolate from there > to what'll happen to that specific mail stream were ADSP to be widely > adopted, but that'd be speculation. I look forward to learning more about your methodology. Your numbers don't match ours so there may be something we could learn from your analysis. > >> >>> The original argument was that it would help deal with phishing, but >>> now even the strongest proponents are happy to explain that it will do >>> absolutely nothing to help with phishing >> >> I'm sorry, I'm not only arguing that it absolutely DOES help with phishing, >> I've provided real data (vs. theory). >> >> Steve, I saw you give a presentation in February and I was very impressed by >> both your technical knowledge and your overall common sense. I consider you >> both intelligent and wise. But I cannot explain the position you've taken >> on the ADSP issue on this mail list. > > I think DKIM is a Good Thing that should be widely deployed. ADSP is > broken in many respects, and because it's tied to DKIMs mindshare > that brokenness deters DKIM adoption. So I believe that ADSP needs > to be fixed or it needs to be allowed to die. I vote for "fix". > >> >> What other solutions on top of DKIM would you like to see the Internet adopt >> instead of ADSP... something open, interoperable, and royalty-free I hope! > > I can think of several, and I'd be more than happy to sit down and discuss > them at some point over a beer, but I'm hearing enough grumbling from > the chairs about what's on topic and what isn't already[1]. > > Cheers, > Steve > > [1] Domain whitelists > operated by FDIC, D&B etc, for real businesses in a particular niche, or > certificates based on vetting, a-la the green bar are two obvious ones, > though. The green bar and extended verification certs is what PayPal > is really relying on to avoid phishing right now, AFAICT. It's simple > and effective and easy for consumers to understand. Yes, wee support EV Certs too... defense in depth. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
