On Sun, 2004-08-29 at 15:22, mazieres(_at_)gmail(_dot_)com wrote:
On Fri, 27 Aug 2004 19:15:31 -0400, John Leslie <john(_at_)jlc(_dot_)net>
wrote:
...
We then evaluate the list of IPs authorized by the SPF2 record,
and run them against known IP blacklists; accumulating a score based
on weighting the reputation of those blacklists for spam identified,
false negatives, and false positives.
This might usually work, but what do you do about the exists and ptr
mechanisms? In general there is no practical and 100% reliable way to
produce a list of IP addresses authorized by an SPF2 record.
Evaluating against a currently available IP address blacklist, for
moving from an address scheme to a name scheme, by transferring existing
address information found published in SPF2 records is not possible. If
there was a black-listed IP address that authenticated as being within
the Sender-ID mail-channel, then that name might be added to a RHSBL.
Without other confirmation, this would erode reasons for using names
rather than addresses. Most would drop the connection and not care what
the Sender-ID identity was or whether the MTA authenticated.
To build upon the IP address blacklist and correlate to a name can not
make use of the SPF2 records directly. One can not trust the ownership
of addresses published in the SPF2 records. Building information from
an address black-list based upon what is published in SPF2 records is
meaningless. Publishing addresses has demonstrated nothing with respect
to being administratively responsible for them. Conversely, obtaining
this address information from complex SPF2 records is impossible without
message-based keys to build access labels. Sender-ID SPF2 records does
not enable a safe correlation between the MTA address and the Mailbox
Domain.
If comparing an IP blacklist and the SPF2 records-
Building:
A spammer could make themselves appear to be using known good
addresses, where actually different addresses are actually used by
means of the labeling mechanism built upon unpublished information
found only in the message. This is a good reason why a macro label
mechanism is bad. The SPF2 record must be ignored.
Reporting:
A spammer could make known good addresses appear bad, if the
published addresses are included in a reputation assessment. The
SPF2 record must be ignored.
Sender-ID SPF2 does not allow a safe bridge between IP address
information and domain name information for reputation use. Spammers do
whatever it takes to gum up the works and that means claiming IP
addresses they don't administer. As you point out, the actual address
may not be accessible, if reviewed independent of a message.
The Sender-ID entity could reside behind a transparently intercepted or
shared outbound SMTP server. This means assumptions regarding this
Sender-ID identity being authentic may be in error. Sender-ID only gives
the appearance of authenticating the sender, and may have the
unfortunate outcome of being a useful ploy to enable spammers to promote
themselves as being validated by this flawed system. It also means
innocent parties will become "reputation" victims of these ploys.
-Doug