On May 27, 2010, at 12:46 PM, Brett McDowell wrote: > On May 26, 2010, at 11:28 PM, Steve Atkins wrote: > >> I'm pretty sure that ADSP as-is is a bad tool to solve any particular >> problem. >> But given it's not being proposed to solve any concrete problem, it's >> hard to discuss whether there's a better solution. >> > > Are you deliberately ignoring the data I provided... at your request for data?
Not at all. It's interesting, but it's only marginally related to ADSP. You're taking data based on a private relationship at a small number of consumer ISPs, for a very specific subset of mail and using that as data to directly support a protocol based on self-publication by a large number of different parties that would be acted upon by more than just a couple of consumer freemail providers. (If that weren't the case, there'd be no point in standardising a self-publication approach such as ADSP). Additionally, the data you've provided that I've seen isn't that useful as it only provides one of the four useful numbers in the legitimate vs phish, rejected by ADSP vs not rejected matrix. To give you a bit more idea of what I mean by that, I've pulled some data out of my mailbox, looking at emails that were both legitimate paypal mail, and which were clear phish emails targeting paypal. For each of those I worked out whether it would have been accepted or rejected based solely on ADSP dkim=discardable if they'd been signed when sent. I'll write up the methodology in a little more detail, but out of my sample the initial data is: Legitimate email from paypal: 72% rejected by ADSP 28% not rejected Phishing emails using "paypal" in the From line: 39% rejected by ADSP 61% rejected. This is based on mail to my mailbox, but other than that it's a pretty fair sample, if anything it's fairly heavily skewed towards phish emails that would be rejected by ADSP (as it's based on emails with the string paypal in the From: line, which includes all phish mail that would be rejected, but excludes quite a lot of phish mail that wouldn't be). It's a small sample, but that means I've been able to identify and confirm manually the status of each email. (It does ignore the fact that Paypal acquires an awful lot of lookalike domains, partly because that's something it's hard to analyze after the fact but mostly because "buy every domain in every TLD that has my company name in it" is not a behaviour that scales at all.) It's also based on sender behaviour before there's significant actual filtering via ADSP. I would expect less mail, both legitimate and illegitimate, to be rejected by ADSP as time went on. That's real data, not theory, for the current state of the paypal related mailstream as I personally see it. I think I can extrapolate from there to what'll happen to that specific mail stream were ADSP to be widely adopted, but that'd be speculation. > >> The original argument was that it would help deal with phishing, but >> now even the strongest proponents are happy to explain that it will do >> absolutely nothing to help with phishing > > I'm sorry, I'm not only arguing that it absolutely DOES help with phishing, > I've provided real data (vs. theory). > > Steve, I saw you give a presentation in February and I was very impressed by > both your technical knowledge and your overall common sense. I consider you > both intelligent and wise. But I cannot explain the position you've taken on > the ADSP issue on this mail list. I think DKIM is a Good Thing that should be widely deployed. ADSP is broken in many respects, and because it's tied to DKIMs mindshare that brokenness deters DKIM adoption. So I believe that ADSP needs to be fixed or it needs to be allowed to die. > > What other solutions on top of DKIM would you like to see the Internet adopt > instead of ADSP... something open, interoperable, and royalty-free I hope! I can think of several, and I'd be more than happy to sit down and discuss them at some point over a beer, but I'm hearing enough grumbling from the chairs about what's on topic and what isn't already[1]. Cheers, Steve [1] Domain whitelists operated by FDIC, D&B etc, for real businesses in a particular niche, or certificates based on vetting, a-la the green bar are two obvious ones, though. The green bar and extended verification certs is what PayPal is really relying on to avoid phishing right now, AFAICT. It's simple and effective and easy for consumers to understand. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html