-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nick Nicholas wrote:
On Thursday, January 12, 2006 at 5:03 PM Julian Mehnle wrote:
Incite research on sender reputation. Perhaps build a
prototype reputation database.
Some questions from the floor, if I may! :-)
Isn't this being done already, and in a variety of ways? For example,
the MAPS RBL (now Kelkea/Trend Micro) is an example of a negative
reputation database which has been around since 1997 and now has many
successors, Spamhaus being the most notable one. Then there are the
positive reputatation databases such as that provided by my employer,
Habeas, and Bonded Sender. Then there is the SIQ group working on
reputation, as well as the non-public, proprietary reputation databases
such as the ones maintained by AOL and Hotmail/MSN. How is what you are
proposing different from these other projects, and is this within the
scope of SPF-oriented efforts? I know that sender authentication was
always intended to be supplemented by reputation services, but do you
really think the time has come for those working on SPF to begin
devoting attention to the reputation aspect?
I need to learn about what exactly the SIQ group is doing, but as for the
other efforts, I think they are far from the level of sophistication that
is necessary to make significant progress on the spam and general e-mail
abuse problem. Most reputation systems out there are still IP-based, and
virtually every domain-based reputation system -- like most of the
IP-based ones -- is very single-minded with regard to their listing policy
and user adaptability.
(For example, users need subjective reputation data that is tailored to
their sphere of communication, which is why so many maintain their private
reputation databases. However this locality is a major impediment to
effectiveness, because that data is not being shared with other users at
all. I think the two fundamental models "identical data for everyone" and
"everyone maintain their own data" need to be mixed. _Some_ approaches
already do that.)
Please don't get me wrong: I would dearly love to talk about reputation
services, and I'm delighted that you think it is a topic worth
discussing. I just question whether this is the right time and place to
do so.
This is a very legitimate question. It may not be considered the SPF
project's job to care about how verified domains are used, but I think
this is a matter of giving SPF (especially a version of SPF that is
expanded to cover auth methods like DKIM and S/MIME) an additional
justification next to forgery prevention, i.e. making SPF really useful.
That would not only advance the state of the art WRT reputation, but
provide an additional incentive to deploying SPF.
That doesn't necessarily mean the SPF project needs to develop and
implement advanced reputation systems itself. If others are already
working on that, it simply means we should get in touch with them and work
with them to produce what users want.
I think it would be worthwhile for the SPF project to keep a broad(er)
perspective.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDyCftwL7PKlBZWjsRAjeJAKCh+GD765lsgmFU76AuN3yYTE8KRwCeNqei
jch+ixXIgKS/glOh6z2rmok=
=SqcS
-----END PGP SIGNATURE-----
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com