[Asrg] mail security
John Levine
johnl at taugh.com
Tue Jan 20 06:53:54 PST 2009
>Yes, but legislation requiring banks to do sensible things here, is
>feasible. At least, it is in the UK and probably elsewhere given their
>current reputation for incompetence.
I suppose. I sometimes drop by the weekly computer security seminar
at the Cambridge computer lab, where I've heard some amazing stuff to
buttress that reputation for incompetence.
>Actually, it's not the outsourcing that's the problem. They just need
>to do that properly, with sensible return-paths and appropriate SPF
>records.
Why do you keep harping on SPF? Of all of the proposed security
schemes on offer, it is by far the worst. It doesn't even attempt to
secure any part of the message visible to recipients, and it only
works for the subset of mail that is sent from a fixed point to
recipients who don't remail or forward it. (Despite endless claims by
SPF's fans, that last part is a fundamental design failure of SPF, not
of the mail system.)
DKIM at least starts to address those problems, but it still doesn't
begin to try to deal with the much harder problem of lookalike
domains. Let's say you get a message from security at pay-pal.com, which
is 100% DKIM, SPF, and Sender-ID approved. Is that Paypal? How can
you tell short of manually looking up WHOIS registrations?
R's,
John
More information about the Asrg
mailing list