----- Original Message ----- From: "Wietse Venema" <[EMAIL PROTECTED]> To: <ietf-dkim@mipassoc.org> Sent: Tuesday, September 12, 2006 12:22 PM Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
>>>What was the advantage of SSP with look-alike domains? >>> >> To find large unproductive ratholes? Neither DKIM or SSP claim >> to have any direct effect on look-alike domain names, and >> there's nothing in our > > DKIM_BASE allows a recipient to distinguish mail from the bank from > look-alike mail that pretends to be from the bank. That information > comes in the form of the signing domain. > > SSP has an advantage when we assume that criminals are stupid enough > to keep sending forged mail. It has no advantage with look-alike > attacks. Guess what criminals will do. hmmmmmmmmm, unless I didn't follow you right, I fail to see the distinction or your point. Scenario #1 - No Phishing in 2822.From, Phishing in signing domain. NO SSP defined. From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your Account Info DKIM-Signature: d=paypa1.com; s=sept06; <-- valid 3PS Here, the 3PS is valid using a look-alike domain (character one is used instead of el). The x822.From is really paypal.com and no SSP is defined. The result in a NO SSP enviroment is a VALID message with the awful possibility some stupid Presentatation software will say: * Good Signature from [EMAIL PROTECTED] signed by paypa1.com Scenario #2 - Phishing in 2822.From, Phishing in signing domain. From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Your Account Info DKIM-Signature: d=paypa1.com; s=sept06; <-- valid 3PS Here, the 3PS is valid using a look-alike domain (character one is used instead of el). The x822.From is also phished. The bad guy can have NO SSP or a SSP with an designated allow list for paypa1.com So I don't see the how it matters. But I will say that if PAYPAL.COM (the real domain) used SSP in scenario #1, then at the very least, the real domain is protected against a phished signing domain when using SSP. So to me, SSP still has the advantage over a DKIM-BASE only environment. SSP can protect against a PHISHED DKIM-BASE SIGNATURE. A slight distinction over a phished 2822.From domain. In short, the bad guy would have to phish both domains - the authors and the signing domain. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html