[Asrg] mail security

Ian Eiloart iane at sussex.ac.uk
Wed Jan 21 03:08:05 PST 2009 


--On 21 January 2009 00:56:55 +0000 John Levine <johnl at taugh.com> wrote:

>>>> Let's say you get a message from security at pay-pal.com, which is 100%
>>>> DKIM, SPF, and Sender-ID approved. Is that Paypal? How can you tell
>>>> short of manually looking up WHOIS registrations?
>>
>> Well, without all those technologies, it's simple to simply use paypal's
>> domain. Then there's no clue. Now, if you use a look-alike domain name,
>> then you're probably violating the trademark. That's illegal, ...
>
> Uh, dude, we're talking about phishing here.  If that's not already
> illegal in Australia, I think I've found a major recession-resistant
> business opportunity.

Phishing illegal? I don't know about Australia, but I don't think there are 
specific anti-phishing laws in the UK. Certainly, fraud perpetrated with 
information gained by phishing is illegal. It's fraud. It could be argued 
that the Phishing attempt itself is a form of fraud, but probably only if 
you actually do something with the information gained.

My point about trademarks is that registering a domain that could be easily 
confused with a trademark is illegal. Therefore, it's reasonable to code 
phishing defences that rely in whole or in part on detecting sender address 
domains that are similar, but not identical, to trademarked domains.

This means that technical measures to protect a domain from precise forgery 
can be supplemented with technical measures to protect near matches to 
those domains. Thus mitigating (not eliminating) the problem.

[Whether it's legal or not, it is a business opportunity. It's probably not 
totally recession-resistant because recession probably reduces the gains to 
be had.]


>
> R's,
> John
>
> PS:
>
>>>    Is there actually any point in trying to solve phishing issues by
>>> verifying the origin of email if the customer is going to depend on
>>> a known-insecure web-browser?
>
> Maybe.  One of my bank accounts requires me to use a physical dongle
> to generate a code number.  I expect in the future they'll give you a
> USB dongle with a small screen and a couple of buttons so you do most
> of your banking session on the computer, but when you hit go, the
> dongle lights up with the details of the transaction the bank is about
> to do and you have to push YES or NO on the dongle to confirm.  That
> seems like it could be made reasonably secure.
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Asrg mailing list