ietf-asrg
[Top] [All Lists]

RE: [Asrg] Trust relationships etc.

2005-07-22 07:23:26
Brian Azzopardi replied up here to something quoted way down there:

Yes of course. But what's the point? 


Well, if you're interested...

Reputation schemes will only be effective if enough people implement
them, 

Well no. For instance - we can consider DNSBLs as sources of reputation
reports pertaining to (usually) the source IP "identity". This identity is
not typically subject to any "authentication" since we normally think of it
as "practically unforgeable". Or a locally maintained blacklist, even. We
only need one or two participants in these simple reputation schemes.
Generally of course, we'd expect reputation to become more useful as the
observation is wider (and deeper).

and it will still *not* solve a spamming zombied machine.

Depending on what identities we're collecting reputation scores for, this
need not be the case. A zombied machine will tend rapidly to loose what
good reputation it had.

Authentication is not an answer - we must assume that all data sent from
a zombied machine can be falsified and that authentication details can
be stolen.



I think you're missing the value of authentication. We'd like to "know"
that a message does indeed "belong" to the identity asserted (e.g. as the
"sender"). Then we can apply the reputation associated with that identity
when assessing the message. Or to put it another way; we'd expect that the
reputation for an *authenticated* identity would be a *better* predictor
(of future behaviour associated with that identity) than would be the
reputation of an unauthenticated identity.

If an authenticated identity is associated with a spam stream, I don't care
whether it's a zombie or a "real person". That credentials can be stolen,
or misappropriated tokens presented, isn't relevant. Messages claiming that
identity will be associated with the poor reputation.

Spam filtering has to be done on a per-message basis.


It certainly can be - but can also be done on other bases.
Messages are not simply isolated blocks of text. They're parts of a stream
(or body) of mail that has properties which may be worth considering.

But back to your original question, the "point" would be that reputation
scores pertaining to authenticated identities might be useful input to
statistical (and heuristic) filters. You may feel that these filters are as
good as they need to be - I suspect that this won't always be true.



-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org 
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of
Jon Kyme
Sent: Thursday, July 21, 2005 11:23 AM
To: ASRG
Subject: RE: [Asrg] Trust relationships etc.

Brian Azzopardi wrote:
More sophisticated
implementations can feed the filter other events such as IPs, dollar 
amounts, appropriately processed time, etc.

And of course it's not hard to arange for reputation and authentication
data to be input to statistical filtering - this is easily done by
adding appropriate headers. This is a general mechanism for upstream
entities to provide input to downstream filtering.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg