> do you believe John, who never believed in ADSP and has repeatedly said > that he hope it fails, and who has a microscopic amount of deployment > experience if any at all. Or do we believe Brett/paypal that ADSP is > providing benefit *today* in the form of 100's of millions of thwarted > phishes, and that ADSP is the only way he can get things to scale > beyond handshakes in the Valley.
Indeed. Only, I think it's a little more complicated than that. PayPal has good experience with independent arrangements that behave like ADSP, and they expect it to translate to good and broader experience with ADSP. On the other hand, they have some bad experience with ADSP, which they expect to meliorate with a change that Brett hasn't described yet. On the other hand, John and Steve expect that the benefits PayPal is seeing in thwarted phishing messages will be short-lived, as phishers just change domain names, and send out just as many messages as before, fooling just as many recipients into thinking they're from PayPal. We will certainly need data collected over time to determine whether there's any long-term reduction in unblocked phishing messages as a result of ADSP. I'm eager to get that data. We'll also need some analysis of whether (and why) PayPal sees some real value in ensuring that successful "PayPal" phishing messages do not actually have "paypal.com" in the "from" field. I'm eager to see that, too. Barry, as participant _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html