ietf-mxcomp
[Top] [All Lists]

Re: SPF abused by spammers

2004-09-14 13:44:16

> True - but that's the basis of all reputation mechanisms - there's no
> absolute authority to refer to, you decide whose opinion you trust. If
> AOL trusts MSN, that's their business.

I agree. Reputation and trust can't be based on false assumptions. You
can't accept promises that you know the other party can't keep, even if
they really wanted to. That's true for just about everything, not just
spam.

This is exactly why reputation is only one part of it, and only offers a complete package when coupled (tripled?) authentication and accreditation - our IADB (ISIPP Accreditation Database) being one example of the latter. Look for more accreditation databases to show up, particularly as authentication moves more into place.

The *big* difference is that an accreditation database doesn't promise anything about the quality of the email coming from the IPs listed therein. It tells you factual information about the mailing policies, processes, and other data about the sender. For example, IADB tells you (via a DNS lookup) whether the sender uses confirmed (double) opt-in, whether they publish SPF records, whether they are listed in Habeas or Bonded Sender, etc.. The latter two, by contrast, are reputation databases, even though some (mistakenly in my opinion) call them accreditation. They are whitelists which tell you what email you should accept from the sender, and why ("because we say so, for such-and-such a reason"), which is reputation. An accreditation database is not a whitelist - it simply reports factual information, and you base your own email processing and delivery decisions based thereon.

All three have a part - an important part. Authentication gets you to "who is this really?"; accreditation gets you to "what are they doing?", and reputation gets you to "what do others whom I trust think about what they are doing".

In a perfect world, in my opinion, everyone would check SPF or other authentication records, query an accreditation database like IADB, and then either query a reputation system of their choice such Habeas or Bonded Sender - or make a note from the IADB results that the sender is listed with a service like Habeas or Bonded Sender (note that this does not diminish the Habeas or Bonded Sender model - in fact it helps them - we give points for participating in either - it just reduces the query to their database by one).

It's free to do those checks and queries, and if done properly, the time you save in how you can more efficiently deal with questionable mail more than makes up for any extra lookups.

Anne


<Prev in Thread] Current Thread [Next in Thread>