spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Authentication, Accreditation, and Reputation

2004-08-14 12:21:09
from [John Glube] [Permanent Link] 
Mark - 

On Sat, Aug 14, 2004 at 08:53:39AM -0400, John Glube wrote:


The purpose of an accreditation service is to:



* facilitate the process of obtaining and maintaining a
good reputation;  



Accreditation has nothing to do with reputation. Reputation
is a behavioral metric, and the only behavior that matters
here is:  does this identity have a history of sending spam
or ham?  


I agree with the statement, reputation is a 'behavioral
metric' and 'does this identity have a history of sending
spam or ham?'


Whether the identity has the wherewithal to purchase
accreditation is a non-issue.


Understood.


This isn't just my opinion, by the way.  All the literature
on reputation systems that I've been able to find (dig
through CiteSeer, for example) define reputation as a
behavioral metric directly tied to the actions of an agent
in the arena to which the reputation applies.  I.e.,
there's no notion of "accreditation" included.


Acknowledged.


A person may decide, since I have published the appropriate
SPF, E-mail policy, CSV records, I am prepared to allow
sufficient data to accumulate and gain a good reputation.


Reputation has nothing to do with information provided by
the sender. It's based on information observed by the
receiver in the act of receiving the mail.

I understand your last comment.   


I could build a reputation rating for an identity today
based solely on the contents of MAIL FROM:, HELO/EHLO, the
IP from which the mail is being sent, and a determination
of whether that mail is spam or ham.  



Things such as SPF record publishing, CSV, SSL certs and so
forth have no bearing on whether you're forging MAIL FROM:
and HELO/EHLO, whether you're sending mail from an IP from
which you don't normally send mail, and whether the content
of that mail is spam.


I acknowledge the two are distinct. 

I appreciate your taking the time to correct my thinking.

Let me see if I can put all of this into context:

* A domain has a good or bad reputation based on past
observed behaviour by receiving MTAs, reports received from
individual recipients and others, including operators of
black lists. 

Question: Will not the quality of these reports vary
depending for example on:

* what is treated as spam versus ham from the recipient's
perspective?

* the criteria used by black list operators in declaring an
activity indicative of spam versus ham?

Let me elaborate. 

A recipient may say, this message is spam because it is an
email message which I do not want and did not ask for. 

However, an observer may say, (I am going to use an
example) but you subscribed to the mailing list and
verified your consent to receive email about how to build
model airplanes and marketing material concerning model
airplanes, building model airplanes and the like. 

Now the particular message in question tells the recipient
how to build a model sopwith camel and includes an
advertisement for a kit to build sopwith camels. 

The observer may ask "How is this spam as opposed to ham?"

Is this is a correct concern? If so, how does a 'heuristic
measure of behavior' deal with this concern?

Is the analysis, in assessing reports, we treat all reports
as fact, aka spam or ham, and then adjust reported
statements based on learned measures of how recipients
generally make mistakes or specifically make mistakes
concerning the particular sender?

To do this, don't you need sufficient volume levels to gain
an accurate measure, given the error factor, or is there
another approach?

* Is not one problem that some domains may not send enough
email to allow for a realistic behaviour assessment based
on existing methods used to establish reputation using
recipient's data?

Or have I misunderstood in general terms how reputation is
measured?

Let's create an example.

Joe Smith who lives in Upper Cove, Nova Scotia has a web
site and his own mail server. 

Over a one year period he has built a verified opt-in
mailing list of 10,000 subscribers from all over the world. 

He sends mailings to his subscribers on a bi-monthly basis.

* Would these type of mailing volumes generate the required
data from all potential recipient sources to allow a
reputation service to come to a correct conclusion as to
the sending characteristics of Joe's domain?

(I am presuming a formula which includes mail volume, time
and spam reports from recipient sources, or is this wrong?)

On the other hand, we have Big Co, with headquarters in New
York City. Big Co does regular mailings on a weekly basis,
sometimes mailing up to 2,000,000 pieces at a time.

* Again the same questions.

Now if the email volume coming from Joe's mail server does
not allow a reputation service, to assess whether Joe has a
good reputation or not, what to do?

Is this not one aspect of the problem?

As a result, what reputation is applied to Joe's domain?

From the receiving MTA's perspective, the operator may decide:

* Okay, I know the sending MTA was authorized to send this
message for this domain. But this does not tell me whether the
particular message is spam or ham.

To fine tune my query I will ask my favourite reputation service:

* Does the domain which has authenticated the sending MTA have a
good or bad reputation?

* If the domain has no known reputation, or perhaps because I
want a more refined statement than merely good or bad, I will
query accreditation services x, y and z to see whether anyone is
prepared to make a statement about this domain's sending
characteristics?

(As an aside, accreditation service y checks the reputation of
users on a real time basis with various reputation services l, m,
and n and uses the data to adjust its statements about a
particular domain.)

* Based on my local policy, which has been created based on
past experience with these various services, I will then
decide whether to let the message pass to the intended
recipient, or conduct filtering tests to check for
spamminness?

* The individual recipient may also have set her
preferences. Now, if the individual recipient is
contributing to the data set of information generated by
the reputation service, and based on the reputation
assigned, the sender has a good reputation, will the
message pass to the individuals inbox?

However, if the reputation service is not able to assign a
reputation, does the model permit either: (i) the
individual can set her own preferences and based on these
preferences the message will or will not be delivered to
either the individual's inbox or junk mail box; or (ii) the
reputation service could query accreditation services x, y
and z and based on the response assign an accreditation
rating, which the individual may decide to accept, and
depending on the assigned accreditation rating, allow the
message to pass to the individual's inbox?

I apologize if I am asking what may seem to some as basic
questions and I greatly appreciate your assistance.

John Glube
Toronto, Canada

The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date: 11/08/2004
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Testing?, Koen Martens
Next by Date:  Re: Authentication, Accreditation, and Reputation, Mark C. Langston
Previous by Thread:  Re: Authentication, Accreditation, and Reputation, Mark C. Langston
Next by Thread:  Re: Authentication, Accreditation, and Reputation, Mark C. Langston
Indexes:  [Date] [Thread] [Top] [All Lists]