On Wed, Mar 10, 2004 at 07:54:09AM -0500, Yakov Shafranovich wrote:
What aspects of the spam problem do these services
(reputation/accreditation) propose to solve? What types of spam messages
specifically do they address?
IMHO the idea behind a reputation/accreditation works like that:
w1) gain a good reputation for the system by getting some people
with a good reputation to work for or give their name for it.
w2) depending on the type of reputation system (whitelist
/ blacklist / neutral list) they try to use this information and
e.g. in case of whitelists try to hand down their reputation.
It works like a web of trust: I trust the system so I trust
their statements.
w3) the problem arising is the quality of the system and the time and
effort they put on the validation process and keeping the information
uptodate.
There are also external influences like legislation and political
pressure.
The problem these kind of systems try to solve are IMHO
1) authentication
with the worth of their own reputation they try to build a trust
situation for the sender by providing some kind of certificate
like "this sender is really the sender he pretends to be".
This could also be done with TLS/CERTs but would require such
a cert for each and every mailserver (like we now have it with
most HTTPS server that want to offer authentication).
They kinda run a central authentication service instead of a
decentralized one and solve the problem for the admins to have their
MTAs talk TLS which is not widely deployed currently.
2) policy
while the authentication information per se is neutral with regards
to good or bad, white or black it is important for some receivers
to get a clue about policies the sender adopts to.
There have been proposals to allow the sender to communicate his
policies, however I don't know of any sending MTA communicating
policies. (Some receiving MTAs express policies in the initial
greeting like "220 mail.example.com no spam/UCE allowed").
There is something (roughly) similiar for HTTP that are called P3P
and PICS (Platform for Internet Content Selection)
http://www.w3.org/P3P/
http://www.w3.org/PICS/
The problem that still exists, even with publishing policies, is again
trust. Receivers wish to know whether they can trust the policies
published by the sender or if the sender simply is a liar.
This is the second area reputation/accreditation try to help with,
they publish policies that senders promised to stick to and they
certify that the sender is not a liar.
But with w3) above there are problems with the correctness of this
information.
IMHO the problems these systems try to solve is not only spam but mainly
provide values for a rating system (like spamassassin uses) to reduce the
number of false positives by allowing to apply rather high scores and
thus work like white/blacklists.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg