[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Asrg] How would SPF or Sender ID stopped this attack
Thanks for the reply.
If the IP Address is what is being checked, and I have my own email
server in China that I set up to be US Bank, I know it will not resolve
back to me of course, copy the appropriate IP out of the SPF or Sender
ID record in DNS and release my messages as US Bank, how can it pick
that up? Wont it just ask DNS if the IP address 123.456.789.123 is the
address of the originating server?
Isn't this the exact scenario they are referring to in the Security
Considerations section?
Bill McInnis
MessageLevel.com
-----Original Message-----
From: Barry Shein [mailto:bzs at world.std.com]
Sent: Friday, July 30, 2004 7:12 PM
To: Bill Mcinnis
Cc: asrg at ietf.org
Subject: Re: [Asrg] How would SPF or Sender ID stopped this attack
On July 30, 2004 at 18:31 bill.mcinnis at messagelevel.com (Bill McInnis)
wrote: > Last weekend a phishing attack took place against US Bank.
The phisher > spoofed and connected with the appropriate IP for US
Bank, > 170.135.72.63. How would SPF or Sender ID have managed to
catch that > attack?
Only inasmuch as it would make it difficult if not impossible for them
to make the envelope (and in some extensions, header fields) appear to
be coming from whatever US Bank's domain is, usbank.com or whatever.
But it won't do much anything to stop slight variations on that domain
which the phisher might be able to register and even get SPF/RMX/etc
control such as us-bank.com or usbank-security.com or whatever.
I think phishing is a big problem like con games are a big problem, they
aim at the gullible who aren't easy to protect.
I'd imagine the best that can be done against phishing would be
something done at the website like you enter a unique username, not an
acct or anything very interesting to a stranger, and the BANK (e.g.)
should come back with a piece of information set up previously. So I
type in bzs in preparation to actually logging in and the website should
respond with "HADDOCK" and then I proceed, if not, I'm suspicious.
But this would be a sizeable educational challenge and as I said we're
dealing with the gullible so if the site comes back with "Sorry, that
information has been purged due to security concerns, please complete
log in for further instructions" they probably will.
--
-Barry Shein
Software Tool & Die | bzs at TheWorld.com |
http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202 | Login:
617-739-WRLD
The World | Public Access Internet | Since 1989
*oo*
----
This outgoing message is guaranteed to be authentic by MessageLevel users.
Guarantee the authenticity of your email @ http://www.messagelevel.com.
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg