Internet and e-mail policy and practice
including Notes on Internet E-mail


2005
Months
Jun

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


12 Jun 2005

Phish-proofing URLs in mail? Email

For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. Early bank phishes were pretty clumsy, but the crooks have gotten better at it and current phishes can look very authentic. See this archive of recent phishes at antiphishing.org for some examples.

A very common trick is the fake link, in which the link you think you're clicking on isn't the one you're really clicking on, like this:

<a href="http://badguy.com/somepage">http://www.bigbank.com</a>

The link looks like it's to bigbank.com, but really it's to a fake web site at badguy.com.

Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in its are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. Signature schemes wouldn't need any changes other than for the software that signs the mail to check the mail first and not sign it if it contains nasty stuff.

The hardest part of implementing this is for the banks to adjust the way that they send their mail. I get a fair amount of bank mail, notices that a credit card bill is available, confirming that I've made a change to an account, or that a deposit account has gone above or below a specifed amount. Remarkably few of those messages come from anywhere you might recognize. More often than not they come from a service bureau that handles the function for the bank, not from the bank itself. (I passed some of these messages around to experience spam-fighting friends, most of whom couldn't tell whether they were real. I'll post some of them here shortly.)

So the question is, is it worth the effort to make all of the senders and URLs match up? At this point, my feeling is probably not. If we're going to use message signatures, it doesn't matter what's in the message so long as you trust the signer.


posted at: 16:11 :: permanent link to this entry :: 0 comments
posted at: 16:11 :: permanent link to this entry :: 0 comments

comments...        (Jump to the end to add your own comment)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access
New!

A keen grasp of the obvious
My high security debit card
306 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.