ietf-asrg
[Top] [All Lists]

Re: [Asrg] Reputation-based systems

2004-09-17 10:26:22
On Fri, Sep 17, 2004 at 05:21:22PM +0100, Tim Bedding wrote:
Florian

These reputation-based systems have two significant problems: Its
participants can suddenly start sending vast amounts of spam, and it
hasn't to be their fault, really.  Maybe a hard-to-fix weakness in the
account generation procedure is exploited, or a software company has
distributed software with an easily exploited defect to a lot of
customers.  I'm not sure if you want to penalize such incidents, and
how you can still kick out the real non-compliers.

Surely, it is not beyond the wit of man to design a system that
monitors email sending and triggers a suspension when something
suspicious occurs. Then an ISP or other body could be in good
standing.


Sounds like time for a plug. ;)

I've been very quiet lately, because I've been killing myself trying to
finish an initial release of GOSSiP.  GOSSiP does more-or-less exactly
this:  It observes behavior, it rates behavior, it shares ratings with
others, it obtains ratings from others, and it also observes the
behavior of those sharing ratings.

Unlike commercial solutions, it's free (as in speech).  It's also free
as in beer for use -- no money changes hands, so there's no motivation
to bias results.  Even if results are biased, the checks and balances
built into the project allow those trying to cheat to be detected
quickly and marginalized.

I made the mistake the other day of mentioning a specific date for a
specific release event, which -- as always happens with such things --
came and went without the release event occurring.  However, I'm close
to a first release.  There's a working Postfix policy agent, written in
C, that communicates with a GOSSiP node via SSL.  There's a working
GOSSiP node, sans the peer communication code, which I'll be adding just
as soon as I finish hacking around an OpenSSL limitation I'm dealing
with.  There's a working feedback agent that automatically forwards the
spam rating from SpamAssassin to a GOSSiP node, also via SSL.

The main delay at this point is trying to add non-SSL functionality in
such a way that it won't require a major code rewrite, nor a major
architectural change.

As it now stands, it's an excellent standalone tool for tracking
reputation for incoming email; I've quickly built a database of several
tens of thousands of unique identities (in GOSSiP, an identity is the
connecting IP plus the RHS of the RFC2821 MAIL FROM: address), with a
history of spam/ham behavior, and a reputation score based on a
sigmoidal function.  The system also currently aggregates identities
when SPF is advertised for the domain part of the ID, allowing for
a single reputation across all senders associated with the SPF record
(which has come in surprisingly useful for catching spammers).

The URL's in my signature, and I could really use some active
programming contributions, if anyone's interested.
-- 
Mark C. Langston            GOSSiP Project          Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org   http://sufficiently-advanced.net    
mark(_at_)seti(_dot_)org
Systems & Network Admin      Distributed               SETI Institute
http://bitshift.org       E-mail Reputation       http://www.seti.org

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg