On Thu, 25 Jan 2007, Martin Hannigan wrote:
On 1/25/07, Tony Finch <dot(_at_)dotat(_dot_)at> wrote:
"Martin Hannigan" <hannigan(_at_)gmail(_dot_)com> wrote:
>If I had to pick a technology priority to pique my interest for '07,
>that I would
>consider proposing as a spending item to "make mail better", it would
>be centered around IP reputation.
DNS blacklists have been around for a decade.
"IP reputation" is a different concept than black list.
By tracking the historical behavoir of /32's or larger allocations, we
could develop a profile of the behaviors that will eventually establish
a baseline for those allocations as "good" "nuetral" or "bad", to keep
it kind of simple. A lot of this data is already out there.
Blacklists are a form of reputation with single yes/no answer for
single type of question. More complex scoring similar or even same
as you describe is already in use by some companies spam products
internally, they are just not making data available externally in
some general protocol (spamcop to a degree does). Others also do
sort of ip reputation by locally combining several blacklists &
whitelists and calculating score based on that as well as based on
bayesean filters. I also at some point did test run with calculating
score for an ip and then block based on score for existing spamassasin
scores (mixed results due to large number of connections coming from
different zombied dsl/cable ips - I need to improve way of generating
list of ip blocks & assigning general reputation to it for use with
Take the case of 60 /8 (IIRC). It was allocated to APNIC by IANA and
spammers began unauthorized advertisements of prefixes high in this
block, "politely" staying ahead of the RIR allocations, but using them
as "fresh" address space. In a reputation system, those blocks would
likely be marked bad since they are unallocated
at the RIR level.
These are bogon ips and some of us are rejecting them already, see
http://www.completewhois.com/bogons/ and blacklist for it is
bogons.dnsiplists.completewhois.com. BTW its interesting to note
that some did not believe me when I said 3+ years ago that spammers
would be doing it and it needs to be dealt with.
Since they are allocated out of IANA, they would be legitimate to most
RBL's until they were caught in the act, but by the time they are
observed, the allocations are swapped.
Possible I do not have enough details, but my understanding is that
spammer[s] (I actually think its same one) were not staying close
enough ahead (need to be within 1-2 days of allocation and RIRs
actually do not always do them sequentially), but just taking some
(somewhat random) higher-end ip range within unallocated space or
doing entire /8. Of course its possible they are even smarter in
the last few cases.
The biggest problem I am having this year, so far, is justifying
spending money on anything related to mail that will not be
a) very long life and b)
really make it better.
Well, yes... but explain that with current internal technologies
"very long life" is still not achievable and you do need to
get some improvement to get cleaner inbox.
The more knobs I have, the better, and I think
IP reputation is the place to be this year.
Number of folks are slowly working on it but its not really that
likely this year would make substantial difference I think.
Account verification before data is "better" in my situation
To be able to do apply user policies when making decisions you
need to do it after RCPT TO. Using blacklist at the start is good
but for most lists (including reputation based ones) it would not
be appropriate (i.e. you must for example accept email to postmaster).
, and technologies to block or drop connections en masse will have more
of a likelihood of getting funded internally.
Really? The more "en masse" you do the more good mail would be lost
and reality is that there appears to be substantial enough difference
between users that that doing it "en mass" for ISP or for large enough
enterprise is probably not ok.
Asrg mailing list