On Tue, Sep 8, 2020 at 1:30 PM Murray S. Kucherawy <superu...@gmail.com> wrote:
> On Tue, Sep 8, 2020 at 5:09 AM Doug Foster <fosterd= > 40bayviewphysicians....@dmarc.ietf.org> wrote: > >> However, I disagree about negative reputation. Content filtering alone >> is insufficient and even more error prone. In the last year, I have had >> spam campaigns about LED lighting, stand-up desks, touchless thermometers, >> and knife sharpeners. I cannot anticipate all the ways that spammers will >> hide their dirty deeds. But I know it is spam, not merely unwanted >> advertising, because of receiving many similar messages from many different >> domains using many different servers. Third-party RBLs help but are >> insufficient. I am gradually building my own reputation database based on >> the traffic that I am receiving. By blocking the problem sources, I have >> been able to get the spam problem under something approaching good control. >> Content filtering is a useful tool for day-zero detection of a new spam >> source. Once a source is detected, it needs to be blocked. >> >> >> >> Whether a message passes SPF and DMARC criteria is part of my search >> critieria for unwanted traffic, but definitely not the only one. As has >> been observed, actual spoofing of the From address is not a huge part of my >> problem at present. This is largely because spammers have easy enough >> tools in Friendly Name spoofing and corporate logo misuse. But I also >> attribute that low volume to the existence of SPF and DMARC. >> > > Suppose I'm one of your touchless thermometer spammers. Your system > identifies me and the DKIM signing domain I'm using. I notice, through > well-established means, that my spam is no longer getting through to you. > So I register a brand new junk domain name, perhaps sadehaiuhfiewn.com or > whatever a few smashes of the keyboard yields, and start signing with that > instead of whatever domain I was using before. For a couple of bucks, I > have now escaped my negative reputation in your system. Maybe I bounce it > through a botnet too, so that you can't catch me with an IP reputation > either. > > Negative reputations are trivially shed. It follows that it's not > terribly useful to track them, at least not long-term. You end up with > records of spammy domains that you'll notice only sent mail for the > shortest of time ranges, long enough to get in undetected or under the > guise of "too new to block", and then abandoned when they stop working. > Blocking domains you've never heard of before is often disruptive when, > say, you join a loyalty program for some vendor you've never dealt with > before and actually do want their mail, so you're between a rock and a hard > place. > > Instead, positive reputations are the things on which you can reliably > act, giving such messages preferential treatment. It's generally a much > higher bar, plus the namespace of domains that manage to earn positive > reputations is small, and they tend to be well-behaved over longer periods > of time. > I disagree, we track reputations both good and bad, and they are incorporated in spam rules across the ladder. A surprising number of negative reputations are not shed, even at very-low... and sure, we do sunset reputations that go unused. At the very least, there is a time lag before the spammer notices the effect and switches. I mean, a blacklist is ultimately a determination that a reputation is so low as to block completely, and that seems to be the main way that anti-spam information is distributed and used by most medium to small providers. That set of botnet IPs definitely will get a low reputation themselves and end up on blacklists. And forcing the spammers to spend money on things like new domain names is part of the benefit. OTOH, we also don't believe in "too new to block", unknown reputation is a great reason to apply throttling at the least. Maybe some of this is large system stuff, where you can expect to see more traffic and things don't tend to be unique... but of course we also get complaints from very small volume folks as well. Brandon
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
