A Poor Man's Anti-Spam Reputation System?
After reading through the Lumos whitepaper, I am considering the delta
between what the proposed archicture achieves and what can be accomplished
with existing anti-spam systems. Here, I am thinking aloud on how to build a
poor man's reputation system using these existing systems. It seems that we
can achieve a reasonable amount of the goals presented in the Lumos paper
with existing systems. The additional requirements can be met with some
possibly minimal set of changes.
1.Reputation
This table shows some of the performance criteria that are proposed in
Lumos, how these criteria are monitored by existing system, and what
identity is based upon in each of these systems.
Performance Criteria
Existing System
Identity based upon:
Abuse Complaint Count
Complaint-based blacklists
I.P. address or domain name
Razor
Message
Distributed Checksum Clearinghouse (DCC)
Message
Adherence to Volume Email Standards/Guidelines
Habeas
Message
Bonded Sender
I.P. address
Practices-based blacklists
I.P. address or domain name
Message Volume
Distributed Checksum Clearinghouse (DCC)
Message
SenderBase
I.P. address
The performance criteria that are missing are: 1) hard bounce count and 2)
duplicate unsubscribe count. These conditions can be detected at the
outgoing gateway. At some threshold, these conditions will be considered an
abuse complaint. At this point, it would be reported to one of the existing
reputation systems such as a blacklist, razor, or DCC possibly with some
count greater than one.
2. Identity
The above reputation systems form identities based on either the IP address
or the message signature. The message signature is equivalent to the
'campaign' as termed in Lumos.
Additionally, domain level authentication can be achieved using RMX-like
systems which form an association between the IP address and the domain
name.
Hostname or domain level authentication can be achieved using existing
technologies such as SSL, PGP, or S/MIME. Every major email server supports
SMTP over SSL. Leveraging this already deployed technology can achieve
domain-based authentication.
If this path is explored, do we need new certification/registration
services? Can we not tie one of theses authenticated pieces of information
to the combined reputation from the systems above?