On 9/4/10 10:04 AM, MH Michael Hammer (5304) wrote: > Using a subdomain presents other issues but ones which I personally > believe are likely more controllable.
Disagree. There is no ADSP policy currently defined able to provide the protections being sought without forgoing use of mailing-lists for the entire domain down. > The DKIM enforcement policies you refer to are as I understand self > imposed ones. We had the "tree walking" discussion during both DKIM > and ADSP development and the decision was to have each subdomain > publish it's own records. The TPA-Label draft avoids this issue by having either an MX or ADSP record override a domain-wide marking by ADSP of being the target of phishing attacks. It is logical to assume such attacks will utilize sub-domains, where it is not possible to publish ADSP at each domain. Targeted domains marked with discardable might be retained as a wildcard within a local cache or in filtering rules to avoid walking down to the TLD. > Paypal would have to deal with those parties it has made private > arrangements with but that is the nature of changes that impact such > arrangements. This is a much more controllable (if potentially time > consuming) situation than dealing with the universe of endusers. > > The other issue is the fact that an element of risk is created > because of the MLM issues related to breaking signatures. If it > weren't for the MLM issue and possibly recipient use of vanity domain > forwarding, it isn't clear how much meaningful signature breakage > would occur for outbound Paypal mail regardless of domain. When a discardable assertion is used, message loss becomes nearly impossible to assess. > One question that comes to mind is whether the issue is centered on > mailing lists or if there are broader issues. If it is centered on > mailing lists, how broad is the need for Paypal employees to send > mail through lists in furtherance of business needs (vs personal > participation using a corporate account because it is convenient). > Spending a little time analyzing this may provide some assistance in > determining how to address the business needs. > > It would obviously be important to make clear to endusers that > transactional mails are never sent from the corp.paypal.com > subdomain. When corp.paypal.com uses ADSP dkim=all, bad actors will then find their phishing attempts accepted. These messages might include misleading List-ID headers to seem to an MTA as having been handled by a mailing-list. The recipient is unlikely to notice these additional header fields and therefore remain vulnerable to phishing attempts that they thought were from paypal. > There is certainly an educational component required regardless of > which approach is selected. Any time there is a change in behavior on > the part of an abused domain it opens up the potential for abuse > specific to the changes involved. The TPA-Label scheme should be able to mitigate phishing without better educating users, engaging in private arrangements, or to have mailing-lists change their handling in ways that would make their messages visually indistinguishable from user to user email, and therefore a greater risk in distributing phishing attempts. While phishing affects a small percentage of domains, it represents a significant financial threat eroding the productivity email may have otherwise offered. -Doug _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
