spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

making the policy decision: leveraging HTTPS

2004-06-20 09:26:20
from [Meng Weng Wong] [Permanent Link] 
In the latest slideshow I distinguished between
authentication and policy.

  http://spf.pobox.com/slides/unified%20spf/0320.html

We've said all along that SPF is an anti-forgery tool.
It is very good at making an IP-based authentication
decision about whether the message is spoofed or not.

But there's nothing to stop a spammer from publishing SPF
records.  In fact, we encourage this, because it gives us
better tools to do RHSBL blocking.  And, in a show of
cooperation, lots of spammers actually do now publish SPF
records.  This is great!  (I just wish the RHSBL folks would
take advantage of this and list those spamming domains.)

So even if authentication passes, we need to make a policy
decision.

In the past I have talked about accreditation and reputation
systems.  Accreditation is a sender-side thing, reputation
is a receiver-side thing.

The reason you need both is because of the valley between
spam and non-spam --- the gray area.  Reputation systems are
fundamentally statistical in nature, and they throw up their
hands when they're faced with a new domain that was just
registered yesterday and hasn't sent any mail yet.  How do
you judge someone who doesn't have a reputation?

The answer is: you expect good newbies to sign up for
accreditation; bad newbies won't.

But anyway, I'm getting away from my main point.

The most basic expression of policy is a static database of
domain names:

  aol.com                      GOOD
  amazon.com                   GOOD
  makeitbiggerthisweekend.com  BAD

You can get more complex expressions by querying a
reputation system that keeps track of total number of
messages seen versus number of "this is spam" complaints.

  aol.com                      complaintratio=1/1000
  amazon.com                   complaintratio=1/100000
  makeitbiggerthisweekend.com  complaintratio=2/5

And each receiver decides where they want to set the cutoff
point.

The above are two sources of policy.

Here's one more:

 given DOMAIN, attempt to connect to https://www.DOMAIN/.

 If an HTTPS connection succeeds, and the certificate for
 DOMAIN is valid, that makes it somewhat more likely that
 the sender is a good guy.

 And if the sender turns out to be a bad guy, the information
 in the SSL certificate will help the feds track them down.

This leverages the existing multimillion dollar
infrastructure already in place for HTTPS, and makes it
useful in the war against spam.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  the "implicit MX" rule, Meng Weng Wong
Next by Date:  Re: the "implicit MX" rule, Frank Ellermann
Previous by Thread:  the "implicit MX" rule, Meng Weng Wong
Next by Thread:  Re: making the policy decision: leveraging HTTPS, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]