At 12:48 PM 8/12/2003, Jason Steiner wrote:
"Yakov Shafranovich" <research(_at_)solidmatrix(_dot_)com>
>
> Any kind of auditing or control over the inner procedures of a black
> list would improve the situation.
I dispute this. Blocklists have reputations, even if that reputation is
no reputation at all, and anyone who does a minimal amount of
research can find out what that reputation is. If you don't like a
blocklist's reputation, don't use it.
The problem is that mail administrators are so fed up with spam, they
choose blacklists based on their effectiveness, not reputation. The more
IPs a blacklist blocks, the more effective it is but it is hard to do an
evaluation for an ISP on how much innocent email is being blocked. It would
be much easier if ISPs would flag messages like SpamAssasin does with input
from DNSRBLs and then let the users decide. Within the consent framework
relying on a single source of information is not a good thing. The best
thing is using multiple sources of information and then letting the consent
system decide what do with it.
Mail administrators should be aware of the need to investigate blocklists -
this is something for the BCPs. Also, shedding some light on the inner
working of a blocklist such as SPEWS.org, by a third party might make it
easier for mail administrators to evaluate it.
Do we really need an auditing organization to tell us that SPEWS
has no contact information and lists more than just the spammer?
Of course not. So what is the real goal of proposals for auditing
organizations?
To make sure that every blocklist follows the same standards, which
just so happen to be the preferred standards of the person making
the proposal! But that defeats the whole purpose of having multiple
blocklists. And it would be far easier to start a new blocklist that
actually embodied those standards than it would be to start a
organization intended to enforce those standards on other blocklists
that might well disagree with them.
The purpose of auditing is to make sure that the blocklist procedures
listed on their website are actually being followed. That's all - all we
need to know is whether SPEWS.org or some other DNSRBL is actually listing
and de-listing IPs based on the criteria that is mentioned on their
website. And if there is no such criteria, then the DNSRBL in question can
write one based on whatever philosophy they want. Currently many people do
not trust a closed no-contact DNSRBL to actually follow their own
procedures, but rather believe that a lot of listing/delisting procedures
are being done on a whim.
We do not need to make standards for blocklists, however a small BCP might
be useful with things like a need to state clearly what your
listing/delisting policy is, etc. Most of the BCPs for DNSRBLs would center
around the need to state what is actually going on in inside one, not
actually trying to enforce specific policies. Additionally, support for
consent systems and associated protocols might be useful as well.
> A rating system would not be sufficient since it has potential for
> abuse. We would need someone to audit the blacklists,
> something like the Truste seal program for privacy. Or perhaps
> just a reliable auditor like a major accounting or security company,
> maybe even ISO 9002 (although with Enron and Arthur Andersen
> story that might not be reliable enough).
Exactly. And Truste's reliability isn't all that great either.
I know, it was just a thought.
> All we need is that a third impartial party has examined the procedures
> of the blacklist. Unfortunatly that is not being done today.
Where are you going to find a truly impartial third party, and who's
going to make sure that they stay impartial? Where will we find these
angels to rule us?
I submit that any anti-spam proposal that requires some centralized,
incorruptible, and totally impartial authority is fundamentally unworkable.
They do not exist, and even if they did, a centralized organization would
be too big a target to escape eventual corruption.
I agree with you - I am not seeking a centralized organization with "one
ring to rule them all". Nor are there impartial third parties. I guess I
went a bit overboard with this - but my main point is:
If you operate a DNSRBL, then disclose your inner procedures and actually
follow them.
IF for whatever reasons you do not want to do so, then have someone else
audit your procedures and let them vouch for you.
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg