IMHO, a user who would be fooled by your: > From: President Obama <ob...@whitehouse.gov> > From: Hector Santos <hsan...@isdg.net>
would also likely be fooled by: > From: President Obama <hsan...@isdg.net> The latter problem is a hole DKIM just can't plug. At least the dual-From: trick is an easy signature to add to a content filter. By the way, there is no whitehouse.gov ADSP record, so a simple first person forgery of Obama with no trickery would pass today. Although the forger would be wise to use his own MAIL FROM:, as they do have SPF. Being constructive, recommendations such as "don't allow multiple From: -- if you really have to then *at least* act on the least favorable ADSP result for each address" should probably go into a seperate document, likely a BCP. We could probably fill a document with other recommended techniques an ISP could use to help protect banks from the gullibility of their users, including techniques outside the scope of DKIM. Such as any kind of stab at solving the human-name problem I've highlighted (but that's a huge can of worms), or suppression of attacks using lookalike domains. ---- Michael Deutschmann <mich...@talamasca.ocis.net> _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
