Re: [Asrg] A question on trust and trust propagation.

[Devdas Bhagat <devdas at dvb.homelinux.org>]

On 06/03/05 22:34 +0100, Peter J. Holzer wrote:
> On 2005-03-06 01:10:55 +0530, Devdas Bhagat wrote:
> > The one really trustable bit of information in the entire SMTP
> > transaction is the IP address of the peer.
> [...]
> > Hence, using a local IP based list of trusted IP addresses makes sense.
> > However, a question of being able to maintain that whitelist in a
> > reliable fashion arises. Also, being able to rapidly respond to new 
> > sending hosts is required. I had drafted up a proposal for a DNSBL which
> > would allow multiple sites to communicate their trust of different IP
> > addresses, and also allow site administrators to define trust level for
> > other domains. This proposal is sitting at 
> > http://nixcartel.org/~devdas/multisystem-protocol-proposal.txt
> > With some modifications, a trust propagation mechanism for
> > whitelisting/blacklisting IP addresses can be generated in a useful
> > fashion.
> 
> The main modification which would be necessary would be that
> whitelisting information would have to be processed automatically, too.
> Your current proposal explicitely forbids that. 

The idea was to have the processing software summarize the whitelisting
records and send them to the admin in a form suitable for updating, with
a list of peers who think that a host should be whitelisted.
This was to prevent spammers from flooding the system with whitelisting
requests.

> 
> Maybe the information should not be a binary black/white, but a
> probability/confidence value? "Mail from that IP is spam with a
> probability of 99%" or something like that? For most IPs this will
> usually be close to 0% or 100%, but it should be somewhere in between
> if there are too few samples, or if the host is transitioning from bad
> to good or vice versa.

Possibly. However, the only thing that I would like to be doing is ether
accepting all mail from the host, or none of it. Rather than trying to
associate the IP with a probability, I am associating the signer with a
trust level. What this person says about this IP is likely to be 99%
true, etc. So you will need more peers before the system will even
prompt the administrator for whitelisting the host.

> (I have to look a GOSSiP again - I think that was quite similar)
> 
> > The core questions:
> > 1> Should we be looking at trusting sending hosts, rather than trusting
> > sending domains/addresses?
> 
> Currently, yes. This may change as spammers move from direct-to-mx
> sending to using the smarthost of the zombie, but even then the sending
> host will be an entity which you can trust more (if the provider has
> effective spam-prevention deployed) or less (if it hasn't).

Exactly.

> Sender domains/addresses are currently completely useless as trustable
> entities. SPF, DomainKeys etc. may change this, but I'm not optimistic.
> Widespread use of cryptographic signatures together with a working PKI
> would change it, but I'm not seeing that, either.
> 
> > 2> Is the method of propogation of trust (based on GPG keys) usable?
> 
> I think so, yes. My proposal for an "email web of trust"
> (http://www.hjp.at/projekte/mail-wot/outline.rxml) also uses GPG keys.
> 
> > Please ignore the usenet/email issues for now, the actual message
> > transmission format/medium is not relevant to the trust issue.
> 
> How large do you expect the messages to be? A complete record of all
> Zombie IP-Adresses seen in the last month or so can easily be a few
> million records.

I expect to see a large initial message, and then smaller hourly
messages. The hourly messages would be a few thousand lines at most,
during a bad spam run.

Devdas Bhagat

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg