On Thu, 21 Jul 2005, John Leslie wrote:
Where SPF ties reputations to domains, CSV ties it to IP's.
There's really no basis for such a statement.
CSV contains a well-defined structure for reputation services.
Authorization is _by_ the domain of the HELO string, and _of_ any
actions of the MTA using that HELO string. The IP address(es) are
only for authentication that he MTA using that HELO string is one
operating under the control of that domain.
The absolutely clear intent of CSV is to provide information
showing authorization and authentication by a _domain_ -- not by
some ISP which assigns IP addresses.
The version of CSV that I reviewed (though it was some time ago) seemed pretty
clearly aimed at establishing a connection between the actions of an MTA and a
name -- the name used in HELO. However, there was no information about how to
generalize behavior of many hosts with different hostnames, all in the same
domain.
Thus you can build up a good reputation for "mail1.example.net" and a bad one
for "mail2.example.net", and neither of those is connected to the other. In
that scenario, "example.net" has no reputation, unless there are one or more
MTAs that announce themselves with "EHLO example.net".
Your message seems to suggest that you can take several hosts in the same
domain (as in "the domain of the HELO string" and not just "the HELO string")
so I'm wondering if this is now defined in CSV or if there's some other
document that tells how to do it. If my machine is called mail1.example.net,
it makes sense to consolidate the reputation info under "example.net"... but
if my machine is called mydomain.com, do my actions affect the reputation of
"com."? what about mail1.bbc.co.uk vs. client1.demon.co.uk?
If the reputation attaches to a single name and doesn't get consolidated over
multiple MTAs, what value is being added over just a list of IPs with their
own reputations? Actually, CSV would be worse in that case because the
spammer can use the current date in seconds as his HELO name, even with the
same domain suffix, and have a clean reputation every time. hmmm..
(I am of course open to the idea that I've missed something... if so please
just point me in the right direction...)
--
Greg Connor
gconnor(_at_)nekodojo(_dot_)org
Everyone says that having power is a great responsibility. This is a lot
of bunk. Responsibility is when someone can blame you if something goes
wrong. When you have power you are surrounded by people whose job it is
to take the blame for your mistakes. If they're smart, that is.
-- Cerebus, "On Governing"