On Mon, 12 Feb 2007, Matt Sergeant wrote:
On 9-Feb-07, at 9:03 PM, Douglas Otis wrote:
...
Publicly listed messages likely represent a sacrificial source. There
lies the rub. What happens when a spammer has an above average IQ? Your
listed, but we can show you why?
Do you have an objection to this point being a SHOULD? Clearly DNSBLs
maintain and even display audit trails and retain effectiveness. I'm lost
by your argument here. The point of this section is that an audit trail is
a valuable thing when there's a complaint about a listing, or some other
issue, so even if it's not public the audit trail really should exist.
An audit trail should exist. There are considerations not covered in this
draft about what can be made public. Those considerations should be
included. This could brace users when they hear something that they don't
want to hear. "I can't show you the message."
Good point. How about:
A DNSBL SHOULD maintain an audit trail for all listings and it is
RECOMMENDED that it is made publicly available in an easy to find
location, preferably on the DNSBL's web site. Please note that
making audit trail data public does not entail revealing all
information in the DNSBL administrator's possession relating to the
listing; e.g., a DNSBL administrator MAY make the audit trail data
selectively accessible in such a way as to not disclose information
that might assist spammers, such as the contents of an email received
by the DNSBL's spam trap.
Matt.
I think there is positive value in diversity of audit trail policy. If all
DNSBLs have no audit trail, then spammer's can't listwash, but it is also
true that operators of websites and MTAs with security problems will not
receive useful information about what is going wrong, and this may
delay corrections. If for instance, a webmaster is responsible for
multiple web pages that generate email, and only one is defective, it
helps to know which one.
If some DNSBLs have detailed audit information available that will help
such sources, without giving spammer's the ability to listwash all
spamtraps.
Since the best outcome is achived by a mix of policies, it hardly seems
necessary to anoint one as "best".
Daniel Feenberg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg