David MacQuigg <dmquigg-clear(_at_)yahoo(_dot_)com> wrote:
A question has come up regarding the reliability of domain ratings to be
used in a system like CSV-DNA. The worry is that spammers will game the
system, and reputation scores will be of so little value that they can't
even be used as input to a spam filter.
There's a certain amount of hand-waving involved...
We have stated that Accreditation Services must publish ratings; and
that Reputation Services must have access to them. We expect that
Reputation Services will rate the Accreditation Services, and use that
as one input to their reputation reports for domains.
We specifically allow for encoded information being published by
Accreditation Services, the meaning of which will only become apparent
if there are prior arrangements between the services.
We make no attempt to limit the other inputs which services may use
to evaluate domains.
The scenario I have in mind is a spammer trying to raise his reputation
score by sending huge quantities of bogus mail to collaborating
recipients. It seems like a good rating service should be able to detect
that situation by looking for unusual patterns in the statistics, e.g.
millions of emails with no complaints to just a few bogus domains, and
100% spam to domains that have no bogus recipients.
It is likely (IMHO, but not any part of the spec) that Accreditation
Services will heavily depend upon contracts with the domains they rate,
which require some particular actions triggered by abuse reports. No
amount of good emails will eliminate those requirements. Generating
huge quantities of bogus email might reduce the perceived severity of
each abuse complaint, but would entail expenses.
Likewise (same disclaimer) Reputation Services will depend heavily
on reports by receiving SMTP servers they have reason to trust. No amount
of bogus email to untrusted domains will have much effect on their ratings.
To hide the spam, bogus flows would have to be really huge, and evenly
distributed to each victim domain.
Huge flows _would_ be hugely expensive; and would likely be perceived
as abusive by the recipient domains. IMHO, the whole rating structure
will pay far more attention to abuse reports than is now common.
Maybe there are some other tricks I can't think of. Are you confident a
widely-used domain-rating system could be defended?
Doug Otis could answer that better than I. In essence, defensibility
depends upon documenting items of clear meaning. We have assigned clear
meaning to SRV publication, and such things should be reasonably easy
to document. Abuse, of course, is in the eye of the beholder; but it's
enough to document the existence of abuse reports, being prepared to
prove how the reports were received and a likelihood that the abuse
reports came from "trustworthy" sources (which does not mean that they
must be "reasonable").
So, I'm reasonably confident. Doug can speak for himself...
--
John Leslie <john(_at_)jlc(_dot_)net>