Graham Murray wrote:
Surely the Bank's SSP means that the criminal will not be able to send
mail in the banks name as he will not have access to the Bank's signing
key.
The challenge is the phrase "in the bank's name".
1. SSP does nothing to mitigate against use of the Bank's actual "name"
(brand) anywhere in the message, including the display string of the From
field, the Subject line or the body.
2. SSP does nothing to mitigate against use of cousin domain's which are
likely to confuse some significant percent of recipients.
As a consequence, SSP needs to distinguish between attacks on the bank's
domain name, versus attacks on the bank's brand and it needs to explain how
SSP mitigates each.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
