David MacQuigg wrote on Monday, March 05, 2007 4:27 PM -0600:
It seems to me the real goal of our work on these reputation systems
is to provide a universal solution to the spam problem.
While laudable, this is not possible.
Keeping the data private means there is no fundamental difference
between what you are doing and what any large ISP or spam-appliance
company does. How can you expect your solution to be any better
than what these private companies are doing?
Having private data is a large advantage, which is why large ISP's don't
publish their internal listing criteria. Attacking a small network that
uses local reputation data followed by Bayesian content filtering is
inherently harder than attacking a system using public DNSBL's and
content filters with public rule sets. You can get some unwanted
messages through, but you can't test the messages for deliverability
ahead of time. The only commonality among networks that use local data
is the code that generates it. The data itself, and the system
parameters that drive the decisions, is all unknown to attackers.
The private data advantage is reduced if your incoming mail flow is too
small. Communications among a few peer systems can help greatly in this
case. As an aside, Bayesian filters don't necessarily work better than
carefully maintained rule sets, but they do it with a fraction of the
maintenance. Private reputation data created from your own mail flow
holds the same promise.
I don't mean to imply that there is no use for public reputation data.
Evaluating whether to use data from a particular source means knowing
who they are. This exposes them to legal action, a risk most companies
do not want. An alternative is creating composite data from all
submitters, which is the SpamCop approach that many sites find too
unreliable. In the end, the most successful public lists are created
from networks of trusted private sources and are carefully managed.
I think the way to deal with threats of costly lawsuits is to set up
the company in a jurisdiction with more common sense in their legal
system than the USA.
This is the precise reason that U.S. companies will not likely make
their reputation data public. Even if there were no threat of lawsuits,
publishing this data tells your attackers how effective they were with
each spam run.
If some rating service is put out of business by a lawsuit, others
will take its place.
Even the threat of lawsuits is enough to deter most people.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735