Why authenticated email won't stop phish spam

March 26, 2008

Every so often, people proposes some form of authenticated email as a way of stopping phish spam; digital signatures, SPF, DomainKeys, you name it it's probably been put forward. Unfortunately, all of these are tackling the wrong problem and thus none of them can work even in theory (much less in practice).

The core problem of dealing with phish email is not that you need to be able to positively identify messages from your bank, which is what the various forms of authenticated email give you, it's that software needs to be able to block message that claim to be from your bank but aren't. Or, more exactly, it needs to be able to spot email that is trying to convince you that it was sent by your bank when it wasn't.

The usual retort is that once people can positively identify messages from their bank, they'll stop being fooled by all the other messages. But we already know that this sort of positive assertion doesn't work; if it did, phishing wouldn't be a problem because people wouldn't enter their bank credentials into anything except their bank's SSL certified website. Manifestly, they do.

(One of the reasons it doesn't work is that people are much worse at noticing the absence of something than they are at noticing the presence of something.)

Written on 26 March 2008.
« The easy way to keep a week's worth of something
An idea for a browser anti-phish feature »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Mar 26 23:47:25 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.