On Sat, 2006-09-09 at 18:35 +0000, John Levine wrote: > >> >The best way to help end-users avoid getting phished it to not accept > >> >phishing messages for delivery. DKIM-SSP where strict policy > >> >statements are published offer a mechanism for this. > >> > >> I get a message from [EMAIL PROTECTED] It has a valid > >> signature. I check the SSP for ebay-verify.com, which says "MAJOR > >> PHISHING TARGET, ACCEPT ONLY WITH SIGNATURE." So I drop it into the > >> recipient's mailbox with a gold star on it. > >> > >> What have we just accomplished? > > > > A bad thing. Don't put the gold star on it. That would be a mistake. > > I think we all agree it would be a mistake. > > How does DKIM-SSP help us not to put the gold star on it? Someone > said that DKIM-SSP offers a mechanism to not accept phishing messages > for delivery.
I agree. A policy of any form will be unable to reliably block phishing messages or identify what messages should be annotated in isolation of other information. However, DKIM related information can be applied beyond the MTA. Think outside the MTA box. : ) Blocking a phish should not be a primary goal, although that might be all an MTA offers. Validating and annotating associated "retained email-addresses" is something DKIM enables. There are two forms of retention in current use, a trusted list and an address-book. These retained email-addresses allow safe "gold-star" annotations to be applied in conjunction with DKIM. Policy allows DKIM to more broadly validate "retained email-addresses." -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
