[Asrg] where the message originated (was: DKIM role?) (SM)

[Ian Eiloart]

--On 19 January 2009 19:08:14 +0000 John Levine <johnl at taugh.com> wrote:

>>>> I'd also like an email client that tells me when the From: header
>>>> domain doesn't match the return-path domain. ...
>
>> Yes, I know. Presumably your bank doesn't email you through this list or
>> any other, though. What I'm after here is avoiding bank phishing.
>
> Have you actually looked at the mail from your bank?  As likely as
> not, the return path points back at the ESP that sends their mail and
> doesn't match the From: address.  Address matching is a totally
> ineffective way to verify the source of any mail.

Right now, that's true. If the banks were serious about preventing 
phishing, they'd do something more sensible.

> You also can't make
> many assumptions about where it will be sent from; I got a real
> message today from HSBC in the Channel Islands that was sent from Hong
> Kong.
>
>> I'd be just as happy if they used DKIM to sign the message. I'd still
>> need  my mail client to tell me that it was signed properly, though.
>> And, signed  by the owner of the address that I can see in the message
>> headers.
>
> Well, yes, we all know that effective use of DKIM requires some sort of
> reputation system to decide what to make of the signature.

Absolutely. I should be able to tell my mail client or ESP which domains 
and addresses to trust (my bank, my employer, my doctor...), in the first 
instance. Only when DKIM and SPF are in wider use will a centralised 
reputation system be very useful. But "wider use" needn't mean most of the 
world. It could just mean, "most of the financial institutions in the UK", 
for it to be of utility to most people in the UK. Or "most academic 
institutions in the UK" for it to be of use here.

>
> R's,
> John
>
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148