Graham Murray wrote:
[EMAIL PROTECTED] (Wietse Venema) writes:
My point is that SSP alone cannot distinguish between mail from my
Bank and mail from a Criminal who pretends to be a slightly different
bank. It distinguishes only the stupid criminals who send mail in
the Bank's name without signature by the Bank.
Surely the Bank's SSP means that the criminal will not be able to send
mail in the banks name as he will not have access to the Bank's signing
key. Therefore such mail, irrespective of how stupid or clever the
criminal is, would not carry the Bank's signature. The criminal would,
of course, be able to send from a domain which makes you think,
erroneously, that it comes from your Bank - which is a different
problem entirely.
+1. Thank your Graham.
phishing also includes the form of using a "correctly spelled" domain
name. I just got one from eBay this morning which is 100% directly on
pay with nearly everything that was discussed here, include the PHISHER
awareness that new systems are taking into the account the SENDER.
Here is the relevant DNA of the message:
Received: from socrate.agmasys.com ([193.201.171.65])
by winserver.com (Wildcat! SMTP v6.2.452.2) with ESMTP
id 101035781; Mon, 10 Dec 2007 07:22:20 -0500
Received-SPF: softfail (winserver.com: domain of transitioning
[EMAIL PROTECTED] does not designate
193.201.171.65 as permitted sender)
Received: from User ([77.237.90.55])
by socrate.agmasys.com (Merak 7.4.2) with ASMTP id EBY38091;
Thu, 06 Dec 2007 22:17:40 +0100
From: "eBay Member look4deals999"<[EMAIL PROTECTED]>
Subject: Question from eBay Member regarding Item #320189950244
To: [EMAIL PROTECTED]
But here is the clever phishing that was added to the top of the body:
eBay sent this message on behalf of an eBay member via My Messages.
Responses sent using email will not reach the eBay member. Use the
Respond Now button below to respond to this message. [LEARN MORE!]
[RESPOND NOW]
Bot the Learn Mode and Response Now buttons were wrapped with webbot
phisher hexed base IP (0x58.0xf8.0x2.0x81)links.
So this is a prime case, if ebay was to become a DKIM signer, it can use
SSP to help protect against these obvious low level abuses.
Of course, eBay.com is a bad example because obviously it has an open
policy of providing users email domain addresses. I don't use ebay, so
I don't sure what their open policy is.
But for a more restricted high value domain, like a Bank and so many
others in the commercial world, including us, no doubt, we can benefit
from non-signed or fake signature or 3rd party valid signature frauds
using SSP with strict DKIM signing policies.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html