On Thu, 25 Jan 2007, Martin Hannigan wrote:
On 1/25/07, Tony Finch <dot(_at_)dotat(_dot_)at> wrote:
"Martin Hannigan" <hannigan(_at_)gmail(_dot_)com> wrote:
If I had to pick a technology priority to pique my interest for '07,
that I would
consider proposing as a spending item to "make mail better", it would
be centered around IP reputation.
DNS blacklists have been around for a decade.
"IP reputation" is a different concept than black list.
In what way? You seem to imply that because reputation is complicated,
that necessarily implies a complicated protocol. DNS blacklists
individually give you a binary good/bad result for each IP address or
domain name, but exactly what they mean by good or bad is subtle and
depends on the blacklist, not the protocol. It is wrong to assume that the
simplicity of the DNS blacklist protocol means that DNS blacklist
semantics are simple.
By tracking the historical behavoir of /32's or larger allocations, we
could develop a profile of the behaviors that will eventually establish
a baseline for those allocations as "good" "nuetral" or "bad", to keep
it kind of simple. A lot of this data is already out there.
Yes, blacklists do this already, though they are binary not ternary.
Take the case of 60 /8 (IIRC). It was allocated to APNIC by IANA and
almost immediately spammers began unauthorized advertisements of
prefixes high in this block, "politely" staying ahead of the RIR
allocations, but using them as "fresh" address space. In a reputation
system, those blocks would likely be marked bad since they are
unallocated at the RIR level. Since they are allocated out of IANA, they
would be legitimate to most RBL's until they were caught in the act, but
by the time they are observed, the allocations are swapped.
You are assuming that blacklists are necessarily based on post-hoc
observation the outgoing email behaviour of IP addresses, and that there
are no blacklists that are based on prior information such as allocations
and hijacking. However, you are wrong: an old example is the DUL, but for
something closer to what you have in mind, have a look at
http://www.completewhois.com/bogons/bogons_usage.htm
It's worth noting that the existing RHSBL support in MTAs and anti-spam
software is good enough to be used for reputation lookups for DKIM. What
is difficult is gathering the data to create a blacklist or whitelist for
domains in DKIM signatures. This is really hard: it is very difficult to
maintain an IP DNSBL that is both effective against spam and has a low
false-positive rate, and I expect it to take a long time before there is
enough operational experience to do the same for DKIM.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
ROCKALL MALIN: NORTHWEST 4 OR 5, OCCASIONALLY 6. MODERATE OR ROUGH. OCCASIONAL
RAIN. MODERATE OR GOOD.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg