Re: [Asrg] Re: Spam, why is it still a problem?
2006-01-17 20:04:22
On Jan 17, 2006, at 3:32 PM, Craig Cockburn wrote:
Moving on then to the next stage, if these technologies are still
deemed inadequate because of false positives or an unacceptable
quantity of spam (+ phishing + viruses and worms etc) arriving
then a global upgrade of email in some form needs to happen. Whilst
I'm not denying this is a difficult job I don't think it's quite as
hard as people make out. Especially for those people who find their
legitimate email blocked they could easily be persuaded to join in
some form of sender reputation based framework as there's something
in it for them. e.g.
http://mipassoc.org/dkim/specs/draft-allman-dkim-ssp-01.txt
I find it interesting one would equate protection from email blocking
with SSP. While I could understand how the DKIM signature could be
used for establishing a framework for reputation, I am at a loss how
one could go about safely or fairly using SSP for this purpose.
Indeed there are likely many who will try to use SSP in this manner.
In which case, protecting reputations will likely require publishing
closed policies. Closed policies 'o=!' would indicate no signatures,
invalid signatures, or third-party signatures are indicative of
messages not conforming to the policy referenced by the From email-
address.
Closed policies will disrupt many email services, while the claimed
protection will still be circumvented. This disruption may soon
become problematic for the average user when a large domain offers
higher ratings for messages containing email-addresses with an SSP
policy. Of course, when the email-address does become abused,
especially when the policy is open-ended, the natural reaction would
then be to lower ratings for messages that contain the abused email-
address. Some may consider the email-address domain owner to be
culpable for their policy as justification for this strategy. SSP
already sends complaints to the email-address domain owner, but not
the signer. Of course, larger domains will likely be white-listed,
as who would want to disrupt messages from millions of users.
Nevertheless, the smaller domains may still need to respond by
publishing a closed policy, even though this will disrupt many email
services, such as posting to this list. : (
List-servers will then need to either replace the From email-address
or add multiple From email-addresses in an attempt to overcome this
limitation. In the end, the From email-address will less reflect who
authored the message. Users in general may need to forgo the use of
their smaller and more personable domains for an email-address
provided by a larger domain. Although a larger domain may have a
poor record of controlling abuse, these domains would still able to
offer an email policy compatible with current services with much less
fear of being block-listed.
How is SSP a means to avoid having your email-address block-listed?
It seems DKIM without SSP is the only sure method. Allow banks to
publish closed policies if they wish. An email recipient or a top or
second level domain provider will not relishing label tree walking
when every message initiates a new set of queries for these few
polices. A commerce related accreditation list from an RSS feed
could offer far greater value. The list could indicate domains like
bigbank.com are trustworthy and always sign their email and online-
bigbank.com are not trustworthy even though they too sign their
messages and publish closed policies. The bottom-line, only a
verified source identifier offers a reasonable framework for
reputation. SSP is not that framework.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] Spam, why is it still a problem?, (continued)
- Re: [Asrg] Spam, why is it still a problem?, Craig Cockburn
- Re: [Asrg] Spam, why is it still a problem?, John Levine
- Re: [Asrg] Spam, why is it still a problem?, Craig Cockburn
- Re: [Asrg] Spam, why is it still a problem?, Bill Cole
- Re: [Asrg] Spam, why is it still a problem?, John Levine
[Asrg] Re: Spam, why is it still a problem?, Stephane Bortzmeyer
Re: [Asrg] Spam, why is it still a problem?, Danny Angus
[Asrg] Email service assumptions and making system-wide changes, Dave Crocker
|
|
|