ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: DNSBL BCP v.2.0

2007-02-12 13:15:41
from [Daniel Feenberg] [Permanent Link] 


On Mon, 12 Feb 2007, Matt Sergeant wrote:


On 9-Feb-07, at 9:03 PM, Douglas Otis wrote:



...
Publicly listed messages likely represent a sacrificial source. There lies the rub. What happens when a spammer has an above average IQ? Your listed, but we can show you why?
Do you have an objection to this point being a SHOULD? Clearly DNSBLs maintain and even display audit trails and retain effectiveness. I'm lost by your argument here. The point of this section is that an audit trail is a valuable thing when there's a complaint about a listing, or some other issue, so even if it's not public the audit trail really should exist.
An audit trail should exist. There are considerations not covered in this draft about what can be made public. Those considerations should be included. This could brace users when they hear something that they don't want to hear. "I can't show you the message." 

Good point. How about:

 A DNSBL SHOULD maintain an audit trail for all listings and it is
 RECOMMENDED that it is made publicly available in an easy to find
 location, preferably on the DNSBL's web site.  Please note that
 making audit trail data public does not entail revealing all
 information in the DNSBL administrator's possession relating to the
 listing; e.g., a DNSBL administrator MAY make the audit trail data
 selectively accessible in such a way as to not disclose information
 that might assist spammers, such as the contents of an email received
 by the DNSBL's spam trap.

Matt.
I think there is positive value in diversity of audit trail policy. If all DNSBLs have no audit trail, then spammer's can't listwash, but it is also true that operators of websites and MTAs with security problems will not receive useful information about what is going wrong, and this may delay corrections. If for instance, a webmaster is responsible for multiple web pages that generate email, and only one is defective, it helps to know which one.
If some DNSBLs have detailed audit information available that will help such sources, without giving spammer's the ability to listwash all spamtraps.
Since the best outcome is achived by a mix of policies, it hardly seems necessary to anoint one as "best". 

Daniel Feenberg


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: DNSBL BCP v.2.0, Chris Lewis
Next by Date:  Re: [Asrg] Re: DNSBL BCP v.2.0, Matt Sergeant
Previous by Thread:  Re: [Asrg] Re: DNSBL BCP v.2.0, Chris Lewis
Next by Thread:  Re: [Asrg] DNSBL BCP v.2.0, Tony Finch
Indexes:  [Date] [Thread] [Top] [All Lists]