RE: [Asrg] Trust relationships etc.

["Jon Kyme" <jrk at merseymail.com>]

Brian Azzopardi replied up here to something quoted way down there:
> 
> Yes of course. But what's the point? 
> 

Well, if you're interested...

> Reputation schemes will only be effective if enough people implement
> them, 

Well no. For instance - we can consider DNSBLs as sources of reputation
reports pertaining to (usually) the source IP "identity". This identity is
not typically subject to any "authentication" since we normally think of it
as "practically unforgeable". Or a locally maintained blacklist, even. We
only need one or two participants in these simple reputation schemes.
Generally of course, we'd expect reputation to become more useful as the
observation is wider (and deeper).

> and it will still *not* solve a spamming zombied machine.

Depending on what identities we're collecting reputation scores for, this
need not be the case. A zombied machine will tend rapidly to loose what
good reputation it had.

> Authentication is not an answer - we must assume that all data sent from
> a zombied machine can be falsified and that authentication details can
> be stolen.
> 


I think you're missing the value of authentication. We'd like to "know"
that a message does indeed "belong" to the identity asserted (e.g. as the
"sender"). Then we can apply the reputation associated with that identity
when assessing the message. Or to put it another way; we'd expect that the
reputation for an *authenticated* identity would be a *better* predictor
(of future behaviour associated with that identity) than would be the
reputation of an unauthenticated identity.

If an authenticated identity is associated with a spam stream, I don't care
whether it's a zombie or a "real person". That credentials can be stolen,
or misappropriated tokens presented, isn't relevant. Messages claiming that
identity will be associated with the poor reputation.

> Spam filtering has to be done on a per-message basis.
> 

It certainly can be - but can also be done on other bases.
Messages are not simply isolated blocks of text. They're parts of a stream
(or body) of mail that has properties which may be worth considering.

But back to your original question, the "point" would be that reputation
scores pertaining to authenticated identities might be useful input to
statistical (and heuristic) filters. You may feel that these filters are as
good as they need to be - I suspect that this won't always be true.



> -----Original Message-----
> From: asrg-bounces at ietf.org [mailto:asrg-bounces at ietf.org] On Behalf Of
> Jon Kyme
> Sent: Thursday, July 21, 2005 11:23 AM
> To: ASRG
> Subject: RE: [Asrg] Trust relationships etc.
> 
> Brian Azzopardi wrote:
> > More sophisticated
> > implementations can feed the filter other events such as IPs, dollar 
> > amounts, appropriately processed time, etc.
> 
> And of course it's not hard to arange for reputation and authentication
> data to be input to statistical filtering - this is easily done by
> adding appropriate headers. This is a general mechanism for upstream
> entities to provide input to downstream filtering.
> 


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg