SPF for forgery prevention (was Re: [linux-elitists] http get vs post...)

Karsten M. Self kmself@ix.netcom.com
Sat Oct 25 19:11:15 PDT 2003


on Sat, Oct 25, 2003 at 02:03:36PM -0700, Josh Neal (josh@unixmercenary.net) wrote:
> On Sat, Oct 25, 2003 at 04:15:15AM +0100, Karsten M. Self wrote:
> > 
> > Better:  come up with a system that works, immediately, if _one_ end of
> > the system is smart, isn't vulnerable to misleading information from a
> > remote host.  And has minimal downsides in the event someone's
> > wires get crossed over whether or not a host is valid.
> 
> Isn't this what http://www.senderbase.org/ provides?
> 
> [ Disclaimer: my $DAYJOB is with IronPort ]

You need to improve your marketing.  I wasn't aware of this.

And in answer to your question:  not quite.

Example:  this IP turned up in a spam I received today:

    http://www.senderbase.org/search?searchString=66.139.118.63

Senderbase tells me some interesting things, notably that the volume
change in the past day has increased 8212%, which would seem to be
significant, 341% in the past 30 days.  Seems highly probable that the
host has been compromised and is being used as a spam proxy.

There's some other useful information -- the registrant is Seecurity
Bancshares, Inc, the domaii is swbell.net, it's part of a /25,
geographical location is Plano, TX 75075.

What I *don't* get, however, is what I specifically mentioned:  the
spamminess/hamminess of the IP.  There _is_ useful information which can
help confirm suspicions (e.g.:  the sudden burst in traffic on this IP),
but I don't see the specific information which would be most helpful.

This is supported by the Help page of SenderBase:

    Identity-based - Rather than looking at message content, SenderBase
    provides information on the source of the email. The service is
    built around the one piece of information in an email that is almost
    impossible to spoof - the sending IP addresses - so mail
    administrators can rely on SenderBase to make accurate decisions
    about incoming mail.

What I'm looking at is:

  - Originator based:  key information to the originating IP.  As
    SenderBase notes, this is the _one_ authoritative piece of
    information on an incoming message.

  - History based:  classification is determined by the known history of
    an originating IP, specifically known to a given site or its trusted
    history-sharing peers.

  - Localized spam definition:  the spam classifier can be any tool
    chosen by a given site.  I lean strongly toward Bayesian classifiers
    and multiple-mode, flexible scoring tools such as SpamAssassin, but
    the choice is really open.  The only issue that matters is that the
    result be a score of spam vs. non-spam, and that this match the
    receiving site's needs.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    "Charming man," he said. "I wish I had a daughter so I could forbid
    her to marry one ..."
    -- HHGTG
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20031026/36985b72/attachment.pgp 


More information about the linux-elitists mailing list