[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] where the message originated (was: DKIM role?) (SM)

To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Subject: Re: [Asrg] where the message originated (was: DKIM role?) (SM)
From: Rich Kulawiec <rsk at gsp.org>
Date: Mon, 19 Jan 2009 16:55:22 -0500
Delivered-to: ietfarch-asrg-web-archive at core3.amsl.com
Delivered-to: asrg at core3.amsl.com
In-reply-to: <6.2.5.6.2.20090119055812.02d1e2f0 at resistor.net>
List-archive: <http://www.irtf.org/pipermail/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
References: <775CA0FF2824E018986610DB at paine.local> <6.2.5.6.2.20090116094007.02ba3f60 at resistor.net> <958E4963CC5DD3398A1792C4 at lewes.staff.uscs.susx.ac.uk> <6.2.5.6.2.20090119055812.02d1e2f0 at resistor.net>
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Sender: asrg-bounces at irtf.org
User-agent: Mutt/1.5.18 (2008-05-17)

On Mon, Jan 19, 2009 at 07:55:26AM -0800, SM wrote:
> I would prefer if my bank used a mechanism for email that protects the 
> integrity of the content.

That's an excellent point.  In addition, I would prefer my bank to
(a) not outsource their mail, (b) not send mail marked up with HTML
(the phisher's best friend) and (c) not send mail which includes any
URLs in the text.

( About (c): If they never send any, they can never typo them.  Nor can I,
when copying them from mail by hand or cut-and-pasting.  If I rely
solely on the single URL I entered -- very carefully, by hand, once --
then my chances of going to a typosquatted site drop considerably.
An attacker would need to gain control of the place I've stored that
URL, which would require gaining control of my computer, which would
mean that there would be no need for them to bother sending me a phish,
since they could just extract the URL/username/password triplet directly
the next time I used it.

Moreover, if the bank trained all their customers in this -- just like
they [try to] train them that they will never, ever ask for a password
-- then they'd be training their customers to be phish-resistant,
since they'd know that any message with a putative URL for the bank
is a phish.  This in turn would discourage phishers, who would be presented
with a reduced attack surface.  Maybe.  On a good day.  See Chris's comment
about educating users and recall Marcus Ranum's advice on that very topic:
"If it were going to work, it would have worked by now".  I concur that
we need to attack this problem at the MTA and network layers, because
by the time it gets to users, it's too late. )

But banks (and other financial institutions) don't do this.  It appears,
if I can attempt to intuit their priorities from the methods and content
of their email messages, that they are far more interested in marketing
and assessing marketing effectiveness than they are in message privacy,
security and integrity.  I think if it were otherwise, then, among
other things, PKI would have long since become widely deployed, and
they wouldn't actively be training their customers to click on links
in mail messages.

---Rsk
_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] where the message originated (was: DKIM role?) (SM)
  - From: SM

References:
- Re: [Asrg] where the message originated (was: DKIM role?) (SM)
  - From: Ian Eiloart
- Re: [Asrg] where the message originated (was: DKIM role?) (SM)
  - From: SM
- Re: [Asrg] where the message originated (was: DKIM role?) (SM)
  - From: Ian Eiloart
- Re: [Asrg] where the message originated (was: DKIM role?) (SM)
  - From: SM

Prev by Date: Re: [Asrg] where the message originated (was: DKIM role?) (SM)
Next by Date: Re: [Asrg] where the message originated (was: DKIM role?) (SM)
Previous by thread: Re: [Asrg] where the message originated (was: DKIM role?) (SM)
Next by thread: Re: [Asrg] where the message originated (was: DKIM role?) (SM)
Index(es):
- Date
- Thread