spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss]Domain reputation system design

2007-01-30 10:37:08
from [David MacQuigg] [Permanent Link] 
At 11:27 AM 1/30/2007 +0000, Julian Mehnle wrote:

Stuart D. Gathman wrote:
> On Mon, 29 Jan 2007, Julian Mehnle wrote:
> > This is an interesting insight into your personal reputation system.
> > Thank you!
> >
> > However, shouldn't a reputation atom be qualified by more than just
> > "SPF" or "neutral" ("neutral" _what_?)?  I'd think you'd at least
> > require <scope/identity-type>, <method-of-authentication>, <result-of-
> > authentication>, e.g. "HELO", "SPF", "Pass"?
>
> You missed the previous post.  The qualifiers are currently:
>
> if SPF pass:
>   domain:SPF
> elif bestguess:
>   domain:GUESS
> elif HELO SPF PASS or bestguess:
>   domain:HELO
> elif SPF neutral:
>   domain:neutral
> elif SPF softfail:
>   domain:softfail
> elif valid non-dynamic rDNS:
>   1.2.3.4:IP
> else:
>   REJECT the connection

No, I did NOT miss it.

What does "neutral" mean?  Does it imply "SPF"?

> SPF means SPF pass.

Ah.

I rather think _you_ missed _my_ point.  You _always_ need at least <scope/
identity-type> AND <method-of-authentication> AND <result-of-authentica-
tion> as a qualification.  In your design, each qualifier name indicates
only one item _explicitly_ ("foo") and _implies_ ("(bar)") the others:

   qualifier | scope   | auth-method     | auth-result
  -----------+---------+-----------------+-------------
   SPF       | (mfrom) | SPF             | (Pass)
   GUESS     | (mfrom) | SPF-guess       | (Pass)
   HELO      | helo    | (SPF/SPF-guess) | (Pass)
   neutral   | (mfrom) | (SPF)           | Neutral
   softfail  | (mfrom) | (SPF)           | SoftFail
   IP        | ip-addr | (valid rDNS)    | (match)

Not exactly the most obvious naming scheme. :-)
There is no limit to the number of small bins we could sort these scores into. On my system, I could specify the authentication methods and results, the SpamAssassin score threshold at which we count the message as spam, the version number and ruleset used in SpamAssassin, and even then the scores for a domain will be dependent on the particular set of recipients we are monitoring. I see a lot of spam from comcast.net. Stuart apparently doesn't have any recipients with legitimate mail from comcast.
What we need from reputation services, if they want to be included in our Registry, is a simple final score that can be used to rate a domain when they first say HELO. What is the probability that if we accept a message from one of their authorized transmitters, it will be spam? Maybe we should call this their "HELO reputation" to distinguish it from other equally-valid ways of measuring reputation. 

-- Dave



-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Re: Using SPF op=helo for HELO Authorization, Alex van den Bogaerdt
Next by Date:  RE: [spf-discuss] Re: Using SPF op=helo for HELO Authorization, Seth Goodman
Previous by Thread:  [spf-discuss] Re: Domain reputation system design, Julian Mehnle
Next by Thread:  Re: [spf-discuss]Domain reputation system design, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]