ietf-asrg
[Top] [All Lists]

Re: [Asrg] A question on trust and trust propagation.

2005-03-06 20:21:39
On 06/03/05 22:34 +0100, Peter J. Holzer wrote:
On 2005-03-06 01:10:55 +0530, Devdas Bhagat wrote:
The one really trustable bit of information in the entire SMTP
transaction is the IP address of the peer.
[...]
Hence, using a local IP based list of trusted IP addresses makes sense.
However, a question of being able to maintain that whitelist in a
reliable fashion arises. Also, being able to rapidly respond to new 
sending hosts is required. I had drafted up a proposal for a DNSBL which
would allow multiple sites to communicate their trust of different IP
addresses, and also allow site administrators to define trust level for
other domains. This proposal is sitting at 
http://nixcartel.org/~devdas/multisystem-protocol-proposal.txt
With some modifications, a trust propagation mechanism for
whitelisting/blacklisting IP addresses can be generated in a useful
fashion.

The main modification which would be necessary would be that
whitelisting information would have to be processed automatically, too.
Your current proposal explicitely forbids that. 

The idea was to have the processing software summarize the whitelisting
records and send them to the admin in a form suitable for updating, with
a list of peers who think that a host should be whitelisted.
This was to prevent spammers from flooding the system with whitelisting
requests.


Maybe the information should not be a binary black/white, but a
probability/confidence value? "Mail from that IP is spam with a
probability of 99%" or something like that? For most IPs this will
usually be close to 0% or 100%, but it should be somewhere in between
if there are too few samples, or if the host is transitioning from bad
to good or vice versa.

Possibly. However, the only thing that I would like to be doing is ether
accepting all mail from the host, or none of it. Rather than trying to
associate the IP with a probability, I am associating the signer with a
trust level. What this person says about this IP is likely to be 99%
true, etc. So you will need more peers before the system will even
prompt the administrator for whitelisting the host.

(I have to look a GOSSiP again - I think that was quite similar)

The core questions:
1> Should we be looking at trusting sending hosts, rather than trusting
sending domains/addresses?

Currently, yes. This may change as spammers move from direct-to-mx
sending to using the smarthost of the zombie, but even then the sending
host will be an entity which you can trust more (if the provider has
effective spam-prevention deployed) or less (if it hasn't).

Exactly.

Sender domains/addresses are currently completely useless as trustable
entities. SPF, DomainKeys etc. may change this, but I'm not optimistic.
Widespread use of cryptographic signatures together with a working PKI
would change it, but I'm not seeing that, either.

2> Is the method of propogation of trust (based on GPG keys) usable?

I think so, yes. My proposal for an "email web of trust"
(http://www.hjp.at/projekte/mail-wot/outline.rxml) also uses GPG keys.

Please ignore the usenet/email issues for now, the actual message
transmission format/medium is not relevant to the trust issue.

How large do you expect the messages to be? A complete record of all
Zombie IP-Adresses seen in the last month or so can easily be a few
million records.

I expect to see a large initial message, and then smaller hourly
messages. The hourly messages would be a few thousand lines at most,
during a bad spam run.

Devdas Bhagat

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg