Re: [spf-discuss] Tracking userids --was: SPF, DKIM, and NIH

--On 17 October 2009 15:06:11 +0200 Alessandro Vesely <vesely(_at_)tana(_dot_)it> 
wrote:
> Ian Eiloart wrote:
> > > Without having some kind of worldwide individual identity system, it
> > > just  can't be done.
> > No, we can.
> At the university of Sussex, you mean?
I'm not talking about what we do at Sussex, I'm talking about what I'd like 
to see in future. It's possible that it could provide some benefit now, but 
the benefit would increase as SPF and DKIM become more widely deployed.
I mean that you don't need a comprehensive worldwide individual identity 
system in order to assign reputation to email sender addresses. What you 
need to do is (a) verify the sender address domain with DKIM or SPF, and 
(b) make reasonable assumptions about the operation of the domain.
I think it's reasonable to assume that a domain operator won't permit one 
user to spoof another user's sender address. If that's untrue, then the 
domain's users and managers will need to sort out any negative 
consequences.

> > What I mean by "spoofed" is that the email was sent from the
> > account that it claims to be sent from. For gmail, for example, a valid
> > DKIM signature is enough that I can assign reputation to the purported
> > author.  I don't need a worldwide ID system, I just need to know that the
> > account that I'm judging is the correct one.
> >
> > As an admin, I can't just reject all gmail email. I have no choice but
> > to try to distinguish between good and bad senders. However, I can
> > assign a default reputation to ESPs like gmail, for previously unseen
> > users in their domain.
> That seems a very clever work to me. I have two very basic questions
> about it:
>
> 1) How large does your database grow?
Probably not as large as the IPv6 address space. Probably not as large as 
the indexes on my mailstore.
> 2) Do you [think to] publish that data?
Yep. I imagine that sender reputation services will become as widespread as 
IP reputation services. Maybe that's what you mean by a "worldwide 
individual identity system"? In which case, the answer is yes. However, it 
may only be necessary to publish individual addresses with scores that 
differ greatly from the domain default; known spammers or well behaved bulk 
senders.
> Assuming that you reckon senders' reputation based on your users'
> complaints, if you forward them (or an anonymized version thereof) to
> google, you may be able to track their reactions, if any. Did you ever
> [try to] get in touch with google about such results? What percentage of
> gmail's users do you think you are tracking?


> I'm also curious about possible generalizations. For different identities
> of the same user, gmail adds --and signs-- a Sender header. That's not a
> universal practice. Some other mail sites may mention the authenticated
> id in their Received header. How do you handle those cases?
>
> TIA for expanding this subject
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/735/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/735/
> Powered by Listbox: http://www.listbox.com


--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com