ietf-asrg
[Top] [All Lists]

Re: [Asrg] 2. Improving Blacklists and Reputation Services

2004-02-10 12:23:40
Walter Dnes wrote:
On Mon, Feb 09, 2004 at 03:30:17PM -0500, Yakov Shafranovich wrote

All of this implies that reputation services such as blacklists will continue to exist. However, a major problem has been with these services is that they provide a binary yes/no answer.

  There is no inherent binary limitation of today's de-facto DNSbl
implementations.  DNSbls have have approximately 16 million possible
responses in the 127.0.0.0/8 CIDR.  And furthermore, they can return
multiple records for one query (which is the querying software's
responsibility to handle properly).  Quite a few DNSbls have an
"aggregate zone", which can return multiple multiple values.

What bothers me is that these codes vary from list to list. Would a standard set of codes help?

Second problem that I have is the use of 127.xxx IP addresses for this. This is really not something that should be done via IP addresses, a custom SRV, RR or TXT record would server a much better purpose.


  In both of the above cases, the idea is to reduce DNS traffic.  Rather
than querying half-a-dozen of the sub-zones, I query the master zone,
and check for any returned values which I want to use.  Similarly, I
could do multiple queries to cn.countries.nerd.dk, tw.countries.nerd.dk,
kr.countries.nerd.dk, etc, etc.  But it's less-bandwidth intensive at
both ends to use the master zone.  There is nothing preventing this type
of response being interpreted in a different manner that includes
granularity.

We should explore other protocols beside DNS for exchanging this data.



Many commercial ISPs would like to make the decisions themselves.
Filters such as SpamAssasin would probably be better off basing data
on a larger scale than a simple yes or no.


  SPEWS already has a "level 1" and "level 2" response.  Is this along
the lines that you're thinking of ?  Similarly, Spamhaus has multiple
lists, with one (ROKSO) reserved for blatant, unrepentant spammers.
Between coded numeric valus, and separate subzones for various degrees
of spamming, the granularity you are looking for is already available
in real-life.


I am actually looking at things like SenderBase and SpamCop - how many spams were caught, how many emails sent, etc.

Additionally, as I mentioned above, I am looking into whether some standard format and protocol would ease the use of blacklists.

Yakov
-------
Yakov Shafranovich / asrg <at> shaftek.org
SolidMatrix Technologies, Inc. / research <at> solidmatrix.com
"I ate your Web page. / Forgive me. It was juicy / And tart on my tongue." (MIT's 404 Message)
-------

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg