Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Clueless about phishing

From: David Farber <dave () farber net>
Date: Thu, 23 Dec 2004 19:37:29 -0500

------ Forwarded Message
From: Bob Frankston <rmfxixB0406 () bobf frankston com>
Date: Thu, 23 Dec 2004 17:27:27 -0500
To: Dave Farber <dave () farber net>
Subject: Clueless about phishing

I just got another suspicious letter ­ not very ­ it does seem legit but why
does Verizon assume that I will trust jangomail.com?
 
I¹m wary about email messages these days that have a phishing risk. For
safety I try to figure out if the message is, at least, from the claimed
source. I would expect corporations such as eBay and Verizon to share my
concern.
 
My mail handler does simple reality checks on incoming mail. URL¹s with %¹s
are suspicious though they are sometimes legitimate and I want to make sure
that the mail comes from the claimed source. To do that I rely on the site
name and reverse DNS lookup.
 
For normal email this overly harsh and should not be a blanket policy. It is
also far from perfect. But for phishable sites I expect them to give me some
reason to treat their message as authentic.
 
eBay fails reverse DNS lookup ­ its DNS names are bound to internal 10.x
addresses.
 
And Verizon sent me that promotional message from Jangomail.com. I can
understand using a third party mailer but it should be from
jangomail.verizon.com not jangomail.com.
 
Making the DNS more critical is not a solution ­ we need third party
vouching services rather than hardening a single centralized system. Trust
is a social decision not a technical issue. It cannot be solved by appealing
to the God Procrustes.
 
Cryptographic vouching is just a mechanism and part of a large scale
approach I¹m working on.
 
In the meantime, the DNS is what we have and those who want our trust must
understand how to use it.


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: