Spam Spotlight on Reputation
Ben Laurie
ben at algroup.co.uk
Mon Sep 13 05:33:58 PDT 2004
Bill Stewart wrote:
> At 03:15 PM 9/6/2004, Hadmut Danisch wrote:
>
>> On Mon, Sep 06, 2004 at 11:52:03AM -0600, R. A. Hettinga wrote:
>> >
>> > E-mail security company MX Logic Inc. will report this week that 10
>> percent
>> > of all spam includes such SPF records,
>>
>> I have mentioned this problem more than a year ago in context of
>> my RMX draft (SPF, CallerID and SenderID are based on RMX).
>> Interestingly, nobody really cared about this major security problem.
>> All RMX-derivatives block forged messages (more or less). But what
>> happens if the attacker doesn't forge? That's a hard problem. And a
>> problem known from the very beginning of the sender verification
>> discussion.
>
>
> It's not a hard problem, just a different problem.
>
> Whitelisting your friends and aggressively filtering strangers
> is an obvious technique for reducing false positives
> without increasing false negatives,
> but it fails if spammers can forge identities of your friends.
> RMX-derivatives help this problem, and they help the joe-job problem.
>
> If a spammer wants to claim that they're the genuine spammers-are-us.biz,
> well, let them.
>
> I find it more annoying that there are spammers putting PGP headers
> in their messages, knowing that most people who use PGP assume
> PGP-signed mail
> is from somebody genuine and whitelist it.
Surely you should check that:
a) The signature works
b) Is someone in your list of good keys
before whitelisting?
--
ApacheCon! 13-17 November! http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
More information about the cypherpunks-legacy
mailing list