Re: MASS Security Review document

I don't know about you, but I would rather that people respond by
stopping the outgoing spam run than by running around and trying to
unsign mail that's likely already been received.


John, you seem to be insisting reputations should be based solely upon
the weaker IP address, rather than considering use of a signature for
this purpose.


I don't understand why you're bringing up IP addresses.  None of my
messages have even mentioned them, and I don't see any connection between
mail signatures and IPs.  If a domain signs a lot of good mail, it'll have
a good reputation.  If it signs a lot of spam, it'll have a bad
reputation.  No IPs are needed or even helpful, and as we'll see later,
revocation doesn't help manage reputations.

- With a valid signature, when there is abuse, there is little doubt
  which domain is accountable.


Right.

- With a signature and a revocation identifier, less effort is needed to
  locate a problematic account.


Senders can and do put tokens in their messages now to identify their
users.  Revocation IDs don't give them anything new here.

- With a signature and a revocation identifier, cessation of abuse can
  be comparable to closing an account.


Not at all.  Revocation says "yes, we signed this mail but now we're sorry
we did."  Closing an account means that it doesn't send any more mail.
The two aren't even similar.

The more I think about revocation IDs, the more certain I am that they're
a bad idea since their sole utility is to allow sending domains to play
games with the mail they send.  If I were a spammer, I'd sign all my spam,
blast it out, wait 10 minutes for most of it to be delivered, then revoke
it all. How can a recipient tell that from an ISP that only revokes a
little bit of its mail?

The spam would all go through, then later analysis would tend to say, oh,
must have been a bad user.  Recipients have to figure out which senders
are really ISPs and which are spam factories who only claim to have
customers.  We've already been through these games, and I see no reason to
invent technology that helps spammers do another round of it.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.

<Prev in Thread]	Current Thread	[Next in Thread>
Re: MASS Security Review document, (continued) Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Jim Fenton Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Jim Fenton Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, Jim Fenton Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, John Levine Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, John R Levine <= Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, Tony Finch Re: MASS Security Review document, domainkeys-feedbackbase01 Re: MASS Security Review document, william(at)elan.net Re: MASS Security Review document, Justin Mason Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Tony Finch Re: MASS Security Review document, John R Levine

Previous by Date:	Re: MASS Security Review document, william(at)elan.net
Next by Date:	Re: MASS Security Review document, John R Levine
Previous by Thread:	Re: MASS Security Review document, Douglas Otis
Next by Thread:	Re: MASS Security Review document, Douglas Otis
Indexes:	[Date] [Thread] [Top] [All Lists]