RE: [Asrg] 2. Improving Blacklists and Reputation Services
2004-02-09 14:13:481. Is it feasible to develop a standard format and protocols for storing and quering data from reputation services?
Yes, see the attached.
2. Is it feasible for such format to be feature rich providing more data than a simple yes/no. Meng Wong of SPF proposed on his list a while back something like how many messages sent by MTA, how many were spam, etc., akin to what SenderBase does.
You could do that, but you have to take account of the fact that the filter is going to have lots of factors to apply in any case. For example how reliable is the information source, does it talk about every email sender or just some? Is it whitelist or blacklist? If you go into too much detail you impose a model on the solution that is probably unnecessary and is going to limit what people can do. I think it is better to simply use the standard A pointer blacklist type hack and then have a metadata record that tells the filter how it thinks the information should be interpreted.
3. Can this be supplemented by accrediation formats and protocols?
Yes, but the volumes of mail are large, you probably don't want to do more than DNS lookup in the first pass.
4. Would any of this improve blacklists?
Yes, the big problem at the moment is that blacklists are not accountable to any party. They tend to operate by attempting to ram the arbitrary policies they choose down every sender's throat. I think it is better to have the sender say what they their sending policy is. If they state outright 'I send unsolicited mail to anyone I choose' then recipients get to say no. If they say 'I send only mail to people who ask for it by quintuple opt-in' and someone catches them spamming, well they chose the empirical test that they failled.
5. Would all of this reduce spam?
Yes.
I think that it will happen gradually. In the first phases people will use
SPF to stop their domain being joe jobbed. Given that there is so much joe
job spam that gains credits in spam assasin or whatever.
In the next phase you add in an accreditation element. This could be a paid
service, voluntary, whatever the sender chooses. There will be a lot of
different programs for different purposes. I suspect we will have the
standard honeypot approach and blacklists that simply report spam sent to
honeypots from certain domains. These work pretty well provided people do
not imagine that the honeypots are infallible. ISPs and others do not
control their customers as absolutely as some anti-spam zealots claim they
should.
There will also be paid schemes similar to that used for authenticating SSL
cert customers. SSL is not an infalible anti-CC fraud protocol, merchants
can commit abuse after the data has arrived. But it reduces fraud to a very
major degree.
Then you will have your Gates endorsed, TrustE style bonded sender ideas.
Spammers pay.
Phill
accreditation.txt
Description: Text document
| Previous by Date: | [Asrg] 3b. SMTP Session Verification - Subgroup launched, Yakov Shafranovich |
|---|---|
| Next by Date: | [Asrg] 2b. Filtering - Subgroup launched, Yakov Shafranovich |
| Previous by Thread: | RE: [Asrg] 2. Improving Blacklists and Reputation Services, denny |
| Next by Thread: | Re: [Asrg] 2. Improving Blacklists and Reputation Services, David Maxwell |
| Indexes: | [Date] [Thread] [Top] [All Lists] |