spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-16 11:11:48
from [David MacQuigg] [Permanent Link] 
Ian Eiloart wrote:
--On 14 October 2009 15:08:15 -0700 David MacQuigg <macquigg(_at_)ece(_dot_)arizona(_dot_)edu> wrote: 


OK, I think I understand now what you mean by "sender".  Sender
(individual author) addresses are worthless to identify bad senders.
See above.
That's simply not my experience. I've seen spear phishing attacks from gmail accounts that are listed on blacklists. The blacklisting of sender addresses does have value to me.
I wasn't aware of any blacklists of individual sender addresses. I would like to give it a try. Where can I find one?
But, there's a bigger picture here. I'd like to rate-limit new senders that haven't earned a good reputation. I can do that for individual gmail users, but can't apply the same rate limit to all gmail users.
I would rather not try to separate good from bad within Gmail. That is really Gmail's responsibility. I just rate the entire mailflow from Gmail to our receivers. Whitelisting of individual Gmail authors can be done by our individual recipients.
Therefore, I need a reputation system that allows me to key on sender addresses. However, to do that, I need some sort of assurance that the author address hasn't been spoofed.
Without having some kind of worldwide individual identity system, it just can't be done. You will always have to rely on the mail submission agent (MSA) to verify its user accounts. Some are strict, and have no spammers among their users. Others, like Gmail, are more concerned about getting new accounts. We need to make the cost of that decision higher than the cost of losing a few legitimate accounts when new subscribers find it inconvenient to provide strong individual identification to their MSAs. We can do that by holding the MSA responsible.
A global individual ID system will also have major problems with privacy and anonymity issues. Organizations operating Internet transmitters have no legitimate reason to hide their identity.
A reliance on individual IDs will also produce a weak reputation system. There are far too many IDs to keep track of, and the data for each one is too sparse. Reputation is best accumulated at the highest level which still has some authority over its domain. az.us is too high. Nobody in Arizona can control what all the domains do. (Theoretically they could, but there is no actual delegation of authority to az.us (no SOA record).) We have chosen pima.az.us as the optimum level. Pima county can enforce standards for anyone operating a transmitter under their name. 

-- Dave



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Previous by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Indexes:  [Date] [Thread] [Top] [All Lists]