Re: SPF abused by spammers
2004-09-14 13:44:16
> True - but that's the basis of all reputation mechanisms - there's no
> absolute authority to refer to, you decide whose opinion you trust.
If
> AOL trusts MSN, that's their business.
I agree. Reputation and trust can't be based on false assumptions. You
can't accept promises that you know the other party can't keep, even if
they really wanted to. That's true for just about everything, not just
spam.
This is exactly why reputation is only one part of it, and only offers
a complete package when coupled (tripled?) authentication and
accreditation - our IADB (ISIPP Accreditation Database) being one
example of the latter. Look for more accreditation databases to show
up, particularly as authentication moves more into place.
The *big* difference is that an accreditation database doesn't promise
anything about the quality of the email coming from the IPs listed
therein. It tells you factual information about the mailing policies,
processes, and other data about the sender. For example, IADB tells
you (via a DNS lookup) whether the sender uses confirmed (double)
opt-in, whether they publish SPF records, whether they are listed in
Habeas or Bonded Sender, etc.. The latter two, by contrast, are
reputation databases, even though some (mistakenly in my opinion) call
them accreditation. They are whitelists which tell you what email you
should accept from the sender, and why ("because we say so, for
such-and-such a reason"), which is reputation. An accreditation
database is not a whitelist - it simply reports factual information,
and you base your own email processing and delivery decisions based
thereon.
All three have a part - an important part. Authentication gets you to
"who is this really?"; accreditation gets you to "what are they
doing?", and reputation gets you to "what do others whom I trust think
about what they are doing".
In a perfect world, in my opinion, everyone would check SPF or other
authentication records, query an accreditation database like IADB, and
then either query a reputation system of their choice such Habeas or
Bonded Sender - or make a note from the IADB results that the sender is
listed with a service like Habeas or Bonded Sender (note that this
does not diminish the Habeas or Bonded Sender model - in fact it helps
them - we give points for participating in either - it just reduces the
query to their database by one).
It's free to do those checks and queries, and if done properly, the
time you save in how you can more efficiently deal with questionable
mail more than makes up for any extra lookups.
Anne
|
|