Can DCC block phishing e-mail?

John R Levine johnl@iecc.com
Mon Jun 20 04:02:08 UTC 2005


> I've had very little success in convincing anyone of what I see as
> insurmountable problems for almost all authentication based ides for
> fixing phishing--or any spam.  How do you solve the key distribution
> problem?

The only idea I've had that seems even remotely workable is branded
per-industry signing certificates.  That is, the signer is a regulator or
trade association who already knows who the legitimate entities are, like
the FDIC for banks in the US.  The signing key would have a logo in it,
something there's already a field for in SSL certs, and the mail program
or browser would display the signer's logo when it validated a cert.
Then you tell people that if it doesn't have the FDIC logo, it's not from
your bank.

The counter attack is to trick people into installing a rogue cert with a
logo just like a famous signer's.  With current MUAs and web browsers,
that's so easy that there's no point in signing.

R's,
John

PS:
> Then there is the legitimate mail from professional spammers to their
> friends, colleagues, suppliers, and customers.

Oh, they don't send that through the zombie nets.




More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.