[Asrg] where the message originated (was: DKIM role?) (SM)

Ian Eiloart iane at sussex.ac.uk
Tue Jan 20 03:43:31 PST 2009 


--On 19 January 2009 13:46:00 -0500 Chris Lewis <clewis at nortel.com> wrote:

> Dotzero wrote:
>> On Mon, Jan 19, 2009 at 12:48 PM, Ian Eiloart <iane at sussex.ac.uk> wrote:
>
>> How happy will you be when your ISP checked the DKIM signature
>> upstream from your mail client, added in x-headers showing the check
>> (and possibly other things) and broke the signature?
>
> Or, if your ISP checked SPF and DKIM, and reported the email as legit
> ... for a domain name very much like, but not exactly like your bank...?

That would be a problem. However, a smart mail client could also check that 
the domain is used in my address book. And, it could also check my address 
book and history for matching domains. Near matches should be flagged as 
suspect.

Use of relatively secure top level domains could help. I don't understand 
why my bank stopped using its ".coop" domain. It's much harder for spammers 
to register those domains. I'd like to see a ".fin.uk" (or similar) domain, 
where only organisations regulated by the Financial Services Authority can 
register domains, and where they're required to use SPF.

> Even with reputation services telling you whether the domain is
> supposedly good, phishers generate domains so fast, and reputation
> services are of necessity going to have to score new ones as "neutral"
> at worst, it's not going to get you very far overall.

Frankly, I'm not going to bank with a bank that can only achieve "neutral" 
for it's email domain reputation.

> We need a feasible mechanism for forcing end users to be smarter ;-)

Agreed! Banks that use email should take care to educate their users on 
this matter. Holding the bank (rather than the account holder) at least 
partially responsible for fraudulent use of accounts that they manage would 
help. They might have to prove that they'd taken reasonable steps to 
educate their customers about phishing, and that they'd deployed domain 
protection technologies.


> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Asrg mailing list