ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] Trust relationships etc.

2005-07-22 10:00:03
from [Brian Azzopardi] [Permanent Link] 


we can consider DNSBLs as sources of reputation reports

If you consider a "table" a "chicken" you can claim a table lays eggs
but the benefits for doing this escape me...

DNSBLs are blacklists and usually have strict criteia for being
blacklisted. Trust is fudgy, it's not the black and white answer that a
DNSBL gives you.



That credentials can be stolen, or misappropriated tokens presented,

isn't relevant. Messages 

claiming that identity will be associated with the poor reputation. 


Excellent! Can I steal your credentials and use them to spam the world?
Sure, you'd eventually get a poor reputation and your Aunt's spam filter
would delete all your mail. You still want the filter to "know" that my
spam "indeed" belongs to you?



But back to your original question, the "point" would be that

reputation scores pertaining to authenticated

identities might be useful input to statistical (and heuristic)

filters.

Well it is easy to find out how effective these reputation scores are
considered by the filter from the weighting it assigns them. Why don't
you take an OSS anti-spam solution like SpamAssasin, implement this
reputation scheme, and tell us how it goes? Empirical data should be
final arbiter



You may feel that these filters are as good as they need to be - I

suspect that this won't always be true.

Ofcourse statistical filters can get better! Although, personally, I am
starting to prefer simple methods like SURBL as long as performance is
not compromised.


Brian

-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org 
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of
Jon Kyme
Sent: Friday, July 22, 2005 4:23 PM
To: ASRG
Subject: RE: [Asrg] Trust relationships etc.

Brian Azzopardi replied up here to something quoted way down there:


Yes of course. But what's the point? 



Well, if you're interested...


Reputation schemes will only be effective if enough people implement 
them,


Well no. For instance - we can consider DNSBLs as sources of reputation
reports pertaining to (usually) the source IP "identity". This identity
is not typically subject to any "authentication" since we normally think
of it as "practically unforgeable". Or a locally maintained blacklist,
even. We only need one or two participants in these simple reputation
schemes.
Generally of course, we'd expect reputation to become more useful as the
observation is wider (and deeper).


and it will still *not* solve a spamming zombied machine.


Depending on what identities we're collecting reputation scores for,
this need not be the case. A zombied machine will tend rapidly to loose
what good reputation it had.


Authentication is not an answer - we must assume that all data sent 
from a zombied machine can be falsified and that authentication 
details can be stolen.




I think you're missing the value of authentication. We'd like to "know"
that a message does indeed "belong" to the identity asserted (e.g. as
the "sender"). Then we can apply the reputation associated with that
identity when assessing the message. Or to put it another way; we'd
expect that the reputation for an *authenticated* identity would be a
*better* predictor (of future behaviour associated with that identity)
than would be the reputation of an unauthenticated identity.

If an authenticated identity is associated with a spam stream, I don't
care whether it's a zombie or a "real person". That credentials can be
stolen, or misappropriated tokens presented, isn't relevant. Messages
claiming that identity will be associated with the poor reputation.


Spam filtering has to be done on a per-message basis.



It certainly can be - but can also be done on other bases.
Messages are not simply isolated blocks of text. They're parts of a
stream (or body) of mail that has properties which may be worth
considering.

But back to your original question, the "point" would be that reputation
scores pertaining to authenticated identities might be useful input to
statistical (and heuristic) filters. You may feel that these filters are
as good as they need to be - I suspect that this won't always be true.




-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org 
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf 
Of Jon Kyme
Sent: Thursday, July 21, 2005 11:23 AM
To: ASRG
Subject: RE: [Asrg] Trust relationships etc.

Brian Azzopardi wrote:

More sophisticated
implementations can feed the filter other events such as IPs, dollar



amounts, appropriately processed time, etc.


And of course it's not hard to arange for reputation and 
authentication data to be input to statistical filtering - this is 
easily done by adding appropriate headers. This is a general mechanism



for upstream entities to provide input to downstream filtering.




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI 
FAXmaker), and network security and management software (GFI LANguard) - 
www.gfi.com 


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Asrg] Trust relationships etc., Jon Kyme
Next by Date:  Re: [Asrg] Trust relationships etc., gep2
Previous by Thread:  RE: [Asrg] Trust relationships etc., Jon Kyme
Next by Thread:  Re: [Asrg] Trust relationships etc., Walter Dnes
Indexes:  [Date] [Thread] [Top] [All Lists]