Re: [Asrg] Re: Spam, why is it still a problem?

On Jan 17, 2006, at 3:32 PM, Craig Cockburn wrote:

> Moving on then to the next stage, if these technologies are still  
> deemed inadequate because of false positives or an unacceptable  
> quantity of spam (+ phishing + viruses and worms etc) arriving   
> then a global upgrade of email in some form needs to happen. Whilst  
> I'm not denying this is a difficult job I don't think it's quite as  
> hard as people make out. Especially for those people who find their  
> legitimate email blocked they could easily be persuaded to join in  
> some form of sender reputation based framework as there's something  
> in it for them. e.g.
> http://mipassoc.org/dkim/specs/draft-allman-dkim-ssp-01.txt
I find it interesting one would equate protection from email blocking  
with SSP.  While I could understand how the DKIM signature could be  
used for establishing a framework for reputation, I am at a loss how  
one could go about safely or fairly using SSP for this purpose.    
Indeed there are likely many who will try to use SSP in this manner.   
In which case, protecting reputations will likely require publishing  
closed policies.  Closed policies 'o=!' would indicate no signatures,  
invalid signatures, or third-party signatures are indicative of  
messages not conforming to the policy referenced by the From email- 
address.
Closed policies will disrupt many email services, while the claimed  
protection will still be circumvented.  This disruption may soon  
become problematic for the average user when a large domain offers  
higher ratings for messages containing email-addresses with an SSP  
policy.  Of course, when the email-address does become abused,  
especially when the policy is open-ended, the natural reaction would  
then be to lower ratings for messages that contain the abused email- 
address.  Some may consider the email-address domain owner to be  
culpable for their policy as justification for this strategy.  SSP  
already sends complaints to the email-address domain owner, but not  
the signer.  Of course, larger domains will likely be white-listed,  
as who would want to disrupt messages from millions of users.   
Nevertheless, the smaller domains may still need to respond by  
publishing a closed policy, even though this will disrupt many email  
services, such as posting to this list. : (
List-servers will then need to either replace the From email-address  
or add multiple From email-addresses in an attempt to overcome this  
limitation.  In the end, the From email-address will less reflect who  
authored the message.  Users in general may need to forgo the use of  
their smaller and more personable domains for an email-address  
provided by a larger domain.  Although a larger domain may have a  
poor record of controlling abuse, these domains would still able to  
offer an email policy compatible with current services with much less  
fear of being block-listed.
How is SSP a means to avoid having your email-address block-listed?   
It seems DKIM without SSP is the only sure method.  Allow banks to  
publish closed policies if they wish.  An email recipient or a top or  
second level domain provider will not relishing label tree walking  
when every message initiates a new set of queries for these few  
polices.  A commerce related accreditation list from an RSS feed  
could offer far greater value.  The list could indicate domains like  
bigbank.com are trustworthy and always sign their email and online- 
bigbank.com are not trustworthy even though they too sign their  
messages and publish closed policies.  The bottom-line, only a  
verified source identifier offers a reasonable framework for  
reputation.  SSP is not that framework.
-Doug


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg