Can DCC block phishing e-mail?

Vernon Schryver vjs@calcite.rhyolite.com
Mon Jun 20 03:32:45 UTC 2005


> From: Gary Mills 

> I'm wondering if DCC can do some of this work?
>
> Specifically, could the real organization's e-mail domain be related
> to its outgoing SMTP server?  Using the current facilities, specifying
> `ok2' with `substitute mail_host' and with `ip' might work to some
> extent.  However, the two values are not tied to eachother.  Is there
> a better way to do this?

How do you know which is the real organization?  Are you considering
believing whatever TrustE says or going into competition with TrustE?
In other words, I think the problem is as hopeless as expecting people
to stop opening attachments of viruses with "social engineering"
Subject: lines or body texts with help from a computerized identification
and authentication scheme.


> I realize that what I'm asking is the subject of several so-called
> sender authentication proposals, and that there are milters that
> work for some of them.

perhaps, for some--ah--sales and marketing oriented values of "work."

I've had very little success in convincing anyone of what I see as
insurmountable problems for almost all authentication based ides for
fixing phishing--or any spam.  How do you solve the key distribution
problem?  How do you know which IP addresss, host names, DNS TXT RRs,
DNS-PKI certs or whatever are for the real organization instead of 
a similar looking bad guy, both with perfectly legitimate DNS PTR RRs,
Verisign PKI certs, SPF TXT RRs, domain keys RRs, or anything else
you might prefer?

Perhaps a famous author like John Levine can do the trick of making
it clear.  Please see the last third of
http://www.merit.edu/mail.archives/nanog/msg08456.html
concerning phoop.com, customercenter.net, mbnanetaccess.com,
mbna-account.com, and mbna-accounts.com


I've been fiddling with an automated reputation idea using DCC data
and realized something obvious and long known.  Any sort of reputation
system will have lots of false positives from some more or less
legitimate points of view.  Imagine that you have a scheme that 100%
reliably identifies trojan proxies or zombies that are sending 100K
or more spam per day.  If the owners of those systems send 10 to 100
legitimate messages per day, then their reputations will be 99.9% or
99.99% spamish, but those 10-100 messages will be false positives.
Then there is the legitimate mail from professional spammers to their
friends, colleagues, suppliers, and customers.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.