spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Perils of reputation

2007-02-09 06:58:44
Interesting problem! The example is very helpful in defining the category of email we are talking about. How about we call it "Solicited Commercial Email" or SCE, instead of "cageliner". This would include mail from charitable and political organizations asking for donations, ads from Walgreens, and stock tips that might be something your broker signed you up for, but you would like to see an authentication header to help you decide whether to un-subscribe or report it as spam.

One way of dealing with SCE is an accreditation service like Goodmail. The sender pays a fee, and the accreditation service handles all complaints, including the inevitable complaints from recipients who forgot they signed up. Receivers who trust Goodmail can whitelist a sender based on that sender's rating with Goodmail.

I wonder if a really good reputation system can eliminate the need for accreditation services and special processing of SCE. Reputable senders of SCE should make sure their recipients know why they are on the list. They should respond promptly to any complaints, and leave very few unresolved. Maybe by providing special processing of SCE, we are encouraging senders to spend money on accreditation services instead of resolving complaints. The goal is no unwanted mail, even if that mail somehow fits the legal requirements of SCE. Blurring the line on reputation may mean fewer senders of SCE will make the effort to get clearly on the right side of the line. I want that broker to send me a subscription request, not just put me on a list after some rambling phone conversation.

-- Dave

At 08:06 PM 2/6/2007 -0500, Stuart D. Gathman wrote:

Consider the case of this sender:

2007Feb06 02:07:11 [1324] connect from cmn1lsm3.beliefnet.com at
('129.33.230.137', 43757) EXTERNAL
2007Feb06 02:07:12 [1324] hello from cmn1lsm3.beliefnet.com
2007Feb06 02:07:12 [1324] mail from 
<listadmin4(_at_)partner(_dot_)beliefnet(_dot_)com> ()
2007Feb06 02:07:12 [1324] Received-SPF: pass (smtp.example.com: domain of
partner.beliefnet.com designates 129.33.230.137 as permitted sender)
client_ip=129.33.230.137;
envelope_from="listadmin4(_at_)partner(_dot_)beliefnet(_dot_)com";
helo=cmn1lsm3.beliefnet.com; receiver=smtp.example.com;
mechanism="a:cmn1lsm3.beliefnet.com"; identity=mailfrom
2007Feb06 02:07:12 ham: 0, spam: 25
2007Feb06 02:07:12 ID partner.beliefnet.com:SPF reputation:
-76.159416,2.014513
2007Feb06 02:07:12 [1324] X-GOSSiP: uqaWJvNVWKgzP7TsOY9.Jg,-76,2
2007Feb06 02:07:12 [1324] rcpt to <jackiel(_at_)example(_dot_)com> ()
2007Feb06 02:07:12 [1324] REJECT: REPUTATION

They are not actually spamming.  They have a very nice SPF record.  Users
at this company actually signed up for their mailings.  Their mailings
*are* laden with advertising.  That is, after all, how their operation
is funded.  This similarity with actual spam causes a message or two
to be quarantined.  The user doesn't actually care that much about reading
the messages, and doesn't bother releasing them from the quarantine.  They
never send any email to the domain, so no auto-whitelisting takes place.
The stats snowball until all messages are quarantined.  The reputation
takes a nosedive, and the system starts rejecting all messages.  Quite
reasonable, since they were just sitting in quarantine until deleted anyway.

This is an example of practical spam.  Stuff that users sign up for, but
don't actually have time to read.  Kind of like those magazine subscriptions
that pile up in the bathroom, or those newpapers sitting in your recycling
bin that you never get around to reading.  It is a good thing that
the system eventually learns to refuse delivery.  However, I feel like
there should be a different kind of demerit for this kind of "spam", because
the company is not actually doing anything wrong.  The reputation should
have a high "lost interest" score, that is distinguished from a
high "criminal spammer" score.  But I am not sure how to capture that
distinction from end users.

Certainly, the best way to do this is to charge recipients for the
subscription.  That will certainly motivate them to whitelist the sender.
And if they never read it, they don't have to renew.

However, advertising funded content is very popular.  I suppose that
messages actually reported as spam or sent to a honeypot mailbox should
get a different kind of demerit than messages that are simply left in
quarantine.  So there would be three counts: ham, spam, cageliner.  The
last two would count together for purposes of quarantine and rejection,
but only the spam stat would determine the "evilness" of the sender.

Which might affect how the system GOSSiPs about senders.
When responding to a reputation query, the cageliner messages should
count as ham, rather than spam.

Comments?  Insights?


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?list_id=735