SPF for forgery prevention (was Re: [linux-elitists] http get vs post...)
Karsten M. Self
Sat Oct 25 19:11:15 PDT 2003
on Sat, Oct 25, 2003 at 02:03:36PM -0700, Josh Neal (firstname.lastname@example.org) wrote:
> On Sat, Oct 25, 2003 at 04:15:15AM +0100, Karsten M. Self wrote:
> > Better: come up with a system that works, immediately, if _one_ end of
> > the system is smart, isn't vulnerable to misleading information from a
> > remote host. And has minimal downsides in the event someone's
> > wires get crossed over whether or not a host is valid.
> Isn't this what http://www.senderbase.org/ provides?
> [ Disclaimer: my $DAYJOB is with IronPort ]
You need to improve your marketing. I wasn't aware of this.
And in answer to your question: not quite.
Example: this IP turned up in a spam I received today:
Senderbase tells me some interesting things, notably that the volume
change in the past day has increased 8212%, which would seem to be
significant, 341% in the past 30 days. Seems highly probable that the
host has been compromised and is being used as a spam proxy.
There's some other useful information -- the registrant is Seecurity
Bancshares, Inc, the domaii is swbell.net, it's part of a /25,
geographical location is Plano, TX 75075.
What I *don't* get, however, is what I specifically mentioned: the
spamminess/hamminess of the IP. There _is_ useful information which can
help confirm suspicions (e.g.: the sudden burst in traffic on this IP),
but I don't see the specific information which would be most helpful.
This is supported by the Help page of SenderBase:
Identity-based - Rather than looking at message content, SenderBase
provides information on the source of the email. The service is
built around the one piece of information in an email that is almost
impossible to spoof - the sending IP addresses - so mail
administrators can rely on SenderBase to make accurate decisions
about incoming mail.
What I'm looking at is:
- Originator based: key information to the originating IP. As
SenderBase notes, this is the _one_ authoritative piece of
information on an incoming message.
- History based: classification is determined by the known history of
an originating IP, specifically known to a given site or its trusted
- Localized spam definition: the spam classifier can be any tool
chosen by a given site. I lean strongly toward Bayesian classifiers
and multiple-mode, flexible scoring tools such as SpamAssassin, but
the choice is really open. The only issue that matters is that the
result be a score of spam vs. non-spam, and that this match the
receiving site's needs.
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
"Charming man," he said. "I wish I had a daughter so I could forbid
her to marry one ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20031026/36985b72/attachment.pgp
More information about the linux-elitists