Dotzero <dotzero(_at_)gmail(_dot_)com> wrote:
On Mon, Jan 24, 2011 at 10:24 PM, Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org> wrote:
On 1/24/11 6:14 PM, Dotzero wrote:
Doug, there are plenty of people with real world operational
experience that would disagree with you. ?You state that failing means
nothing and passing means nothing. If that is true, why are there a
significant number of implementers using this approach successfully?
Lack of better alternatives...
Defeating spam requires the reputation of SMTP clients be weighed for
rejection or acceptance!
Doug, could you share with us what reputation is?
Reputation (as the name implies) is a prediction of the likelihood of
near-future behavior.
As far the mailbox providers are concerned (that I have spoken with)
it is reduced to "What have you done to me today".
Perhaps... if nothing better is available...
The real question for a mailbox-provider is, "How much does the
mailbox customer want to see this?"
For practical reasons, it's usually reduced to, "How much does my
typical mailbox customer want to see this?" And that value is arbitrarily
cloe to zero for email that's part of a spam run. So once you have
identified a spam rum, you're likely to want to reject it all; and once
the spam run is ended, you're likely willing to let email through.
Their systems don't care whether you have had a good reputation for
the past 2 years.
As a practical matter, a 2-year-old good reputation doesn't say you
won't be compromised and start spewing spam.
If you start spewing badness today and you start generating complaints
today then you will be throttled or blocked.
Reputation systems, in principle, could have one-second update cycles.
They could, in principle, differentiate the end of a single spam run on
a botted computer from the computer being no longer botted.
Understandably, the "free" reputation services don't attempt that.
But that's a business model: not an inherent limitation.
If the time interval of reputation is that short then reputation
systems are not particularly useful as an absolute requirement for
defeating SPAM.
Day-old reputation information is still _somewhat_ useful. And, IMHO,
reputation _is_ an absolute requirement for defeating SPAM.
We do need to add something equivalent to "incident in progress,"
where SPAM is likely to be interspersed with HAM, but there's reason
to believe the SPAM will be purged from retry queues (and how long
that should take).
That's venturing into territory which presents challenges gathering
the information, absent what I call "vouching" services which are
given information about policies and procedures. The vouching services
(if trustworthy) can tell reputation services the estimated time to
repair a breach. (There are also a number of questions of trust, which
require customer relationships: for example, how much needs to be
sanitized in a SPAM report.)
So, IMHO, _standalone_ reputation services are necessary but far
from sufficient for defeating SPAM.
--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg