Spam Spotlight on Reputation

Ben Laurie ben at algroup.co.uk
Mon Sep 13 05:33:58 PDT 2004


Bill Stewart wrote:

> At 03:15 PM 9/6/2004, Hadmut Danisch wrote:
> 
>> On Mon, Sep 06, 2004 at 11:52:03AM -0600, R. A. Hettinga wrote:
>> >
>> > E-mail security company MX Logic Inc. will report this week that 10 
>> percent
>> > of all spam includes such SPF records,
>>
>> I have mentioned this problem more than a year ago in context of
>> my RMX draft (SPF, CallerID and SenderID are based on RMX).
>> Interestingly, nobody really cared about this major security problem.
>> All RMX-derivatives block forged messages (more or less).  But what
>> happens if the attacker doesn't forge? That's a hard problem.  And a
>> problem known from the very beginning of the sender verification 
>> discussion.
> 
> 
> It's not a hard problem, just a different problem.
> 
> Whitelisting your friends and aggressively filtering strangers
> is an obvious technique for reducing false positives
> without increasing false negatives,
> but it fails if spammers can forge identities of your friends.
> RMX-derivatives help this problem, and they help the joe-job problem.
> 
> If a spammer wants to claim that they're the genuine spammers-are-us.biz,
> well, let them.
> 
> I find it more annoying that there are spammers putting PGP headers
> in their messages, knowing that most people who use PGP assume 
> PGP-signed mail
> is from somebody genuine and whitelist it.

Surely you should check that:

a) The signature works
b) Is someone in your list of good keys

before whitelisting?

-- 
ApacheCon! 13-17 November! http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff





More information about the cypherpunks-legacy mailing list