On Tue, Sep 8, 2020 at 5:09 AM Doug Foster <fosterd= 40bayviewphysicians....@dmarc.ietf.org> wrote:
> However, I disagree about negative reputation. Content filtering alone > is insufficient and even more error prone. In the last year, I have had > spam campaigns about LED lighting, stand-up desks, touchless thermometers, > and knife sharpeners. I cannot anticipate all the ways that spammers will > hide their dirty deeds. But I know it is spam, not merely unwanted > advertising, because of receiving many similar messages from many different > domains using many different servers. Third-party RBLs help but are > insufficient. I am gradually building my own reputation database based on > the traffic that I am receiving. By blocking the problem sources, I have > been able to get the spam problem under something approaching good control. > Content filtering is a useful tool for day-zero detection of a new spam > source. Once a source is detected, it needs to be blocked. > > > > Whether a message passes SPF and DMARC criteria is part of my search > critieria for unwanted traffic, but definitely not the only one. As has > been observed, actual spoofing of the From address is not a huge part of my > problem at present. This is largely because spammers have easy enough > tools in Friendly Name spoofing and corporate logo misuse. But I also > attribute that low volume to the existence of SPF and DMARC. > Suppose I'm one of your touchless thermometer spammers. Your system identifies me and the DKIM signing domain I'm using. I notice, through well-established means, that my spam is no longer getting through to you. So I register a brand new junk domain name, perhaps sadehaiuhfiewn.com or whatever a few smashes of the keyboard yields, and start signing with that instead of whatever domain I was using before. For a couple of bucks, I have now escaped my negative reputation in your system. Maybe I bounce it through a botnet too, so that you can't catch me with an IP reputation either. Negative reputations are trivially shed. It follows that it's not terribly useful to track them, at least not long-term. You end up with records of spammy domains that you'll notice only sent mail for the shortest of time ranges, long enough to get in undetected or under the guise of "too new to block", and then abandoned when they stop working. Blocking domains you've never heard of before is often disruptive when, say, you join a loyalty program for some vendor you've never dealt with before and actually do want their mail, so you're between a rock and a hard place. Instead, positive reputations are the things on which you can reliably act, giving such messages preferential treatment. It's generally a much higher bar, plus the namespace of domains that manage to earn positive reputations is small, and they tend to be well-behaved over longer periods of time. Content filtering is a different matter. It's focused on what's in the message, irrespective of where it came from. But that's a whole new game to play, and definitely not anything in which DMARC is interested. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
