gconnor <gconnor(_at_)nekodojo(_dot_)org> wrote:
On Thu, 21 Jul 2005, John Leslie wrote:
CSV contains a well-defined structure for reputation services.
Authorization is _by_ the domain of the HELO string, and _of_ any
actions of the MTA using that HELO string. The IP address(es) are
only for authentication that he MTA using that HELO string is one
operating under the control of that domain.
The absolutely clear intent of CSV is to provide information
showing authorization and authentication by a _domain_ -- not by
some ISP which assigns IP addresses.
The version of CSV that I reviewed (though it was some time ago)
(It really hasn't changed much.)
seemed pretty clearly aimed at establishing a connection between the
actions of an MTA and a name -- the name used in HELO.
Exactly.
However, there was no information about how to generalize behavior of
many hosts with different hostnames, all in the same domain.
We do not consider that issue in-scope.
Undoubtedly, some reputation services will take on that task; and
a number of approaches come to mind. The most useful approaches would
seem to be those which merely gather domain-wide information to be
used when name-specific information is sparse.
Thus you can build up a good reputation for "mail1.example.net" and
a bad one for "mail2.example.net", and neither of those is connected
to the other.
This is exactly true, as far as CSV is concerned.
In that scenario, "example.net" has no reputation, unless there are
one or more MTAs that announce themselves with "EHLO example.net".
Correct, as far as CSV is concerned. Reputation services, however,
may aggregate available information for subdomains, and use it in
some fashion.
Your message seems to suggest that you can take several hosts in
the same domain (as in "the domain of the HELO string" and not just
"the HELO string") so I'm wondering if this is now defined in CSV
or if there's some other document that tells how to do it.
There has been no change: we still consider it out-of-scope.
My wording was (deliberately) vague, so as to cover both the
exact CSV meaning and some possible interpretations by reputation
services.
If my machine is called mail1.example.net, it makes sense to
consolidate the reputation info under "example.net"... but if my
machine is called mydomain.com, do my actions affect the reputation of
"com."? what about mail1.bbc.co.uk vs. client1.demon.co.uk?
Though we consider this issue out-of-scope, a likely implementation
by reputation services would be to carry it upwards to the registered
entity: thus stopping at mydomain.com, demon.co.uk, or (hopefully)
somecompany.city.st.us.
If the reputation attaches to a single name and doesn't get
consolidated over multiple MTAs, what value is being added over
just a list of IPs with their own reputations?
The granulatity match is better; and the (out-of-scope) aggregation
of subdomains is far easier.
Actually, CSV would be worse in that case because the spammer can
use the current date in seconds as his HELO name, even with the
same domain suffix, and have a clean reputation every time.
Correction: with that practice, the spammer would have "no
reputation" every time. CSV intends that other measures be applied
in cases of "no reputation" -- one example being IP blacklists.
--
John Leslie <john(_at_)jlc(_dot_)net>