On Saturday 09 September 2006 14:35, John Levine wrote: > >> >The best way to help end-users avoid getting phished it to not accept > >> >phishing messages for delivery. DKIM-SSP where strict policy > >> >statements are published offer a mechanism for this. > >> > >> I get a message from [EMAIL PROTECTED] It has a valid > >> signature. I check the SSP for ebay-verify.com, which says "MAJOR > >> PHISHING TARGET, ACCEPT ONLY WITH SIGNATURE." So I drop it into the > >> recipient's mailbox with a gold star on it. > >> > >> What have we just accomplished? > > > >A bad thing. Don't put the gold star on it. That would be a mistake. > > I think we all agree it would be a mistake. > > How does DKIM-SSP help us not to put the gold star on it? Someone > said that DKIM-SSP offers a mechanism to not accept phishing messages > for delivery.
For exact domain phishes, I think this is true. If I get a message 2822.From a domain that has published an SSP record saying that the domain signs all messages and the message does not have a valid signature signed by that domain, then the message can be rejected. Unless you are in the habit of putting gold stars on all messages that go into the inbox, then you don't need any help to not put a gold star on it. The part where you normally don't put a gold star on it, do that. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html