On Wed, Mar 10, 2004 at 02:08:34PM -0800, Hallam-Baker, Phillip wrote:
| > On Wed, Mar 10, 2004 at 05:03:38AM -0500, Meng Weng Wong wrote:
| > |
| > | 1) accredited sender domains should be able to add accreditation
| > | modifiers easily.
| >
| > example.com TXT "v=spf1 mx -all accredit=%{d}.accreditor.net"
|
| I would very much like to get rid of the macro expansion for
| security reasons.
Actually I would've required the macro expansion for security reasons.
| The point is that the accreditation is only for the domain that
| has been accredited. I do not want the software to react to
| things like:
|
| spammer.com TXT "v=spf1 mx -all accredit=example.com.accreditor.net"
|
| This is hijacking another person's accreditation.
And one way to prevent it is for reputation services to only recognize
certain RHS strings. That way, with %{d} expansion, spammer.com's
accredit=%{d}.accreditor.net will only expand to
spammer.com.accreditor.net and not example.com.accreditor.net.
my %recognized_accreditors = ( "%{d}.accreditor.net" => -10,
"%{d}.verisign.com" => -10,
...,
);
Macros are perfect for this.
Spammers can try to do accredit=always-return-maxgood.com but because
that's not recognized it doesn't do anything.
if (spf_pass($domain)) {
foreach my $modifier (asserted_accreditation($domain)) {
next if not exists $recognized_accreditors{$modifier};
if (accreditor_vouches_for_domain($domain, $modifier)) {
$score += $recognized_accreditors{$modifier};
Accreditors will naturally want to gain recognition from reputation
services --- maybe the first thing a commercial accreditor will do is
petition SpamAssassin to add
$recognized_accreditors{"%{d}.new_kid.on.the.block"} = -10;
But noncommercial accreditors might not even bother; they might prefer
to let the facts speak for themselves, and acquire a reputation the
old-fashioned way. SpamAssassin can easily detect new accreditation
services that are just quietly out there doing their thing, and assign a
score according to their quality. Economists have talked about how
money can be seen as a medium for information flow. With
accreditation/reputation, we have an economy whose information medium is
not money but the concept remains the same. Wonderfully elegant.
| > | 2) accreditation agencies should be able to easily publish vouch
| > | information, in a standard format if possible
| >
| > example.com.accreditor.net A 127.0.0.2
|
| Here there is a disagreement with CSRI which specifies 127.0.0.10
| for good, 127.0.0.255 for bad
|
| Is this compatible?
I haven't read this part of the CSRI document. I think it would be
useful to carve up the 32 bits and allocate some spaces --- if CSRI says
127.0.0.* measures good/bad, then maybe we can reserve 126.* to provide
bit-fields in the lower three octets, etc. So under 126.*, .1 might
mean property X is true, .2 for property Y, .4, .8, etc, and you just &
them accordingly.