Re: [exim] Anti Phishing ACL

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Jeroen van Aart, Exim Users List
Subject: Re: [exim] Anti Phishing ACL


--On 30 October 2008 11:31:13 -0700 Jeroen van Aart <kroshka@???>
wrote:

> neil wrote:
>> I have tried in the past to contact banks and ask about SPF, DKIM etc,
>> but I have had no reply.
>
> Rightfully so. I wouldn't trust a bank who'd just comply to the whims of
> an individual emailing them about this or that random questionable
> feature.
>
>> Yes I know that SPF etc breaks stuff <cue furious debate about
>> forwarding>, but I would have though that in the few cases where people
>> set up deliberate forwarding they could whitelist, versus the millions
>> of phishing mails sent each day.


It doesn't break anything. Email is already fundamentally broken, if you
care even the slightest bit about security.

>
> Do you honestly believe that SPF or whatever is the newest fancy useless
> feature will prevent phishing even a tiny bit?


Absolutely, but it has to be combined with user friendly tools to help
people understand where something came from.

> I don't. SPF doesn't just
> break forwarding but can actually promote spam


Only if people confuse SPF pass with reputation. It (or something similar)
is a pre-requisite for useful reputation systems. The only reputation we
can currently assign is to IP addresses, and that might be useful for
blocking some bad stuff, but what banks and their customers need is a way
to say "yes, this really did come from your bank". The best we can do at
the moment is say "This IP address has (or hasn't) been a spam emitter in
the past", and that's not what we care about.

Banks can, and should, let their customers know which domains they're going
to use for email. Email clients ought to offer a facility to not just
whitelist their bank's domain, but to verify the email source.

> and spammers appear to
> have adopted it quickly:


Doesn't matter. An spf match is meaningless in the absence of information
about the domain reputation.

> http://www.theregister.co.uk/2004/09/03/email_authentication_spam/


That report actually says "SPF ... might be useful in curtailing spoofing
and phishing attacks"

>
> Greetings,
> Jeroen




--
Ian Eiloart
IT Services, University of Sussex
x3148