On 6/18/04 9:05 PM, Hallam-Baker, Phillip sent forth electrons to convey:
I think that there is a good case for tying reputation to a domain.
But not having actually solved the problem yet (the spam is still
with us), I am not going to argue against tying accreditation or
reputation to a finer granularity.
I think it is very likely that marketing(_at_)anybank(_dot_)com is going to
be in a different reputation category than
jane(_dot_)doe(_at_)anybank(_dot_)com(_dot_)
I was thinking more about granularity. I think changing granularity from
the domain level essentially introduces several security flaws into the
system.
If I were running a reputation service, I'd be very reluctant to make it
possible for the above emails to have separate reputations, or to allow
marketing.anybank.dom and billing.anybank.com to have separate
reputations. I'd end up playing whackamole if I wasn't extremely
careful; email addresses and subdomains are free. I'd *have to* charge
for such entries, even if I wanted to run a free service, for it not to
be fundmentally broken.
Other whackamole security flaw secenarios this would enable: spam run
begins, authorized by spammer.dom. SPF record of spammer.dom is changed
to redirect from one throwaway, or ?all domain to another, as soon as
each is blacklisted. Makes much more sense to blacklist spammer.dom.
In other words, (in SPF terms), reputation MUST be tied to
<responsible-sender>. It may in addition be tied to <current-domain>.