HTML email, was Re: Phishing and BGP Blackholing

Travis H. travis+ml-nanog at
Fri Jan 19 07:04:22 UTC 2007

On Thu, Jan 18, 2007 at 07:05:25AM -0800, Matthew Black wrote:
> This presupposes that corporations have a more significant claim
> to domain names than individuals.

Not necessarily; if I am providing login details to a phishing site, I
have probably visited the actual business web site before to create
those credentials in the first place.  Were they to use a consistent
naming strategy, for example always using the same suffix, then I have
a simple rule for avoiding [most] phishing sites; validate the suffix.

More generally, authenticating the identity of someone you share a piece
of information (or history) with is a much more tractable problem than
authenticating someone you don't share anything with.  That is probably
unsolvable via technical means.

As you point out, there still exists the risk of providing personal
details to the wrong site, but phishing sites so far haven't commonly
focused on gathering details for future identity fraud.
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list