RE: Sub domains

> -----Original Message-----
> From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> [mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Scott 
> Kitterman
> Sent: Thursday, August 19, 2004 2:40 PM
> To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> Subject: RE: [spf-discuss] Sub domains
>
>
> > -----Original Message-----
> > From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> > [mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Mark 
> > C. Langston
> > Sent: Thursday, August 19, 2004 2:23 PM
> > To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
> > Subject: Re: [spf-discuss] Sub domains
> >
> >
> > On Thu, Aug 19, 2004 at 08:18:00PM +0200, Koen Martens wrote:
> > > I guess this means a.example.com is just screwed if b.example.com
> > > misbehaves..
> > Not at all.  Take the following example, straight from GOSSiP:
> >
> > Assume a ham-sender connects from <some IP>, using the address
> > foo(_at_)a(_dot_)example(_dot_)com(_dot_)
> >
> > Assume a spammer connects from <the same IP>, using the address
> > bar(_at_)b(_dot_)example(_dot_)com(_dot_)
> >
> > In GOSSiP, the identity for the hammer is a.example.com:<IP>.  The
> > identity for the spammer is b.example.com:<IP>.
> >
> > Two separate identities, two separate reputations.
> >
> > There has been discussion in the past few days about data aggregation
> > across identities, but I think everyone agrees that there may be as many
> > dangers as benefits to such aggregation.  Therefore, there won't be any
> > such aggregation in the initial release, and if and when that
> > aggregation is added, it will require significant testing to ensure the
> > good doesn't get lumped in with the bad.
> OK,
>
> So being the smart spammer, I register spammyexample.com, but am
> careful to
> never send spam from that domain.
>
> First I send from a.spammyexample.com until it gets a bad
> reputation, then I
> send from b.spammyexample.com until it gets a bad reputation, and then I
> send from c.spammyexample.com until it gets a bad reputation, etc.  Now if
> you add in checking the reputation of the higher level domain
> (spammyexample.com), I just spend some time sending ham from that domain
> (while I spam from others because I plan ahead) and I still don't see how
> you can avoid aggregation.
>
> The tricky part, I think, is deciding where to draw the line of
> responsibility.  For common US TLDs it's pretty easy (usually at
> the second
> level), but for country TLDs it's going to be more complex.  Don't think
> you're going to be that effective until you deal with this issue somehow.
>
> Perhaps you need to look at each level as a aggregate and then
> see if there
> are sub-domains that are at significant variance.  If the aggregate was
> spammy, then a new sub-domain at that or a lower level would
> start out with
> a somewhat negative reputation that would have to be overcome and if the
> aggregate was hammy, it would start out somewhat positive.
Also,

This earlier post to the list:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200407/0029.html

I think could also apply to how to flow reputation back towards the
responsible party.

Reputation might even sub-divide based on the MTA and the domain, something
like,

Gee, mail-from: FQDN has a pretty good rep, but the HELO/EHLO FQDN has a
crummy rep for being spamish.  Well, it passes so I'll give it some good rep
based on mail-from:, but that doesn't entirely resolve my suspicion of this
MTA...

Or even separate reputations per mail-from:/PRA (if you are so
inclined)/HELO/EHLO combination.

Scott Kitterman