North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Lazy network operators - NOT

  • From: Sean Donelan
  • Date: Sun Apr 18 20:05:53 2004

On Sun, 18 Apr 2004, Alex Bligh wrote:
> Whilst that may gave you some heuristic help, I'm not sure
> about the language. HINFO used that way neither /authenticates/
> the address (in any meaningful manner as the reverse DNS holder
> can put in whatever they like), nor does it /authenticate/ the
> user (which some might characterize as the problem). Given it
> is a widely held view (IMHO correct) that using network layer
> addressing for authentication is broken, I think your suggestion
> would probably be better received if you described this as a
> heuristic mechanism.

Actually its neither an "authentication" nor a heuristic method.

Its purpose is to provide better information so you can make a
decision.  Its similar to using SPF to provide information about
addresses used to send mail containing particular domain names.
For example if VIX.COM had SPF records for its domain, other people
could check the SPF records and not send anti-virus bounce messages
when mail didn't originate from VIX.COM SPF listed systems.

HINFO (or RWHOIS or LDAP or whatever) provides more general information
from the network operator about addresses.  There are more network
protocols than just e-mail. Some people try to infer information from the
host name, e.g. does it contain the letters ppp or dsl or cable.  Or they
try looking up addresses in various third-party lists which may be out of
date or difficult to correct; and doesn't fix the other third-party list
which copied portions of the someone else's list.

Yes, I'm aware of the limitations.  But my goal is to split the problem
up, and give each party some benefit to doing their part.  The current
practice of blaming one party for all the worlds problems isn't working.

> Speaking of which, we gets lots proposed heuristic solutions
> suggested. Has anyone actually done any formal evaluation of
> the statistics behind this. For instance looked at a statistical
> correlation between DUL listed entries and spam, extrapolated
> to determine what would be the effect if all dialup blocks were
> listed, and done proper significance testing etc.? Ditto any
> of the other techniques Paul's greylisting paper refer to. If not,
> sounds like a useful academic research paper. Hardly like we
> are short of data points.

Yes, but not complete.

The longest on-going analysis is published at
http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html

He lists how many messages would be blocked by each type of blacklist.
He doesn't look at false positives.

There are also various whitepapers published by vendors.

Be careful about the slice and dice effect.  Depending on how you divide
up the numbers you can make any thing come out on top.  In some sense
the problem is a lot worse.  Its not just spam, worms, viruses.  Its not
just residential broadband users.  Its not even just Microsoft Windows.