--On 19 January 2009 16:02:19 -0800 SM <sm at resistor.net> wrote:
At 13:55 19-01-2009, Rich Kulawiec wrote:That's an excellent point. In addition, I would prefer my bank to (a) not outsource their mail, (b) not send mail marked up with HTML (the phisher's best friend) and (c) not send mail which includes any URLs in the text.The economy and specialization works in favor of (a) and marketing in favor of (b).
Yes, but legislation requiring banks to do sensible things here, is feasible. At least, it is in the UK and probably elsewhere given their current reputation for incompetence.
Actually, it's not the outsourcing that's the problem. They just need to do that properly, with sensible return-paths and appropriate SPF records.
If banks were doing that properly, it would be easier for ESPs to detect phishing, then you could conceivably hold them responsible when they fail to do so.
-- Ian Eiloart IT Services, University of Sussex x3148 _______________________________________________ Asrg mailing list Asrg at irtf.org http://www.irtf.org/mailman/listinfo/asrg