On 3/5/2005 9:00 PM, Jeff Chan wrote: > On Saturday, March 5, 2005, 11:24:25 AM, Eric Hall wrote: > >> On 3/4/2005 1:57 PM, Rob McEwen (PowerView Systems) wrote: >> >>> Quinlan: Any technique that tries to identify "good" mail without >>> authentication backing it up, or some form of personalized >>> training. It worked well for a while, but it's definitely not an >>> effective technique today.
> Ones that have high false positives are given a low score or not used > at all. Folks don't just make up rules and deploy them. The > usefulness of the "official" rules is checked before they're released. Yes, but we don't have very many of them. I don't mean "validate" by passing it through pre-release testing either (although that's certainly important), but instead mean that the message itself has to contain enough data for the marker to be validated. Whether this is an external agent that will validate some hash (as in the probable case of DK), or something in the message itself (a trusted relay says that a cert is good), or whatever, the important thing is the verification part (this is still different from authentication). > nice thing is that SA lets us give them "relative goodness scores" and > not an outright pass or fail, so they don't need to be perfect out of > the box. Yes, my point being that rather than saying "they are not useful" we really ought to be working hard on finding ways to add more of them, because it is their volume that makes them useful (otoh, having too many of them, such that the bar is lowered, is indeed bad). -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/