IETF Logo Mail Archive

Re: [Asrg] Statistical Analysis shows SPF should work Pretty Well

Yakov Shafranovich <research@solidmatrix.com> Fri, 13 June 2003 09:06 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA25870 for <asrg-archive@odin.ietf.org>; Fri, 13 Jun 2003 05:06:30 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5D962421517 for asrg-archive@odin.ietf.org; Fri, 13 Jun 2003 05:06:02 -0400
Received: from ietf.org (lists.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5D962m21514 for <asrg-web-archive@optimus.ietf.org>; Fri, 13 Jun 2003 05:06:02 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA25818; Fri, 13 Jun 2003 05:05:59 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19QkTQ-0002xe-00; Fri, 13 Jun 2003 05:03:52 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19QkTP-0002xb-00; Fri, 13 Jun 2003 05:03:51 -0400
Received: from optimus.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5D2x2a15117; Thu, 12 Jun 2003 22:59:02 -0400
Received: from ietf.org (lists.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h5D2wUm15096 for <asrg@optimus.ietf.org>; Thu, 12 Jun 2003 22:58:30 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA06222 for <asrg@ietf.org>; Thu, 12 Jun 2003 22:58:26 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Qejk-0000VN-00 for asrg@ietf.org; Thu, 12 Jun 2003 22:56:20 -0400
Received: from 000-236-176.area5.spcsdns.net ([68.27.161.211] helo=68.27.161.211 ident=trilluser) by ietf-mx with smtp (Exim 4.12) id 19Qeji-0000VI-00 for asrg@ietf.org; Thu, 12 Jun 2003 22:56:19 -0400
Message-Id: <5.2.0.9.2.20030612224337.00b9d768@std5.imagineis.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
To: mengwong@dumbo.pobox.com, asrg@ietf.org, Peter Kay <peter@titankey.com>
From: Yakov Shafranovich <research@solidmatrix.com>
Subject: Re: [Asrg] Statistical Analysis shows SPF should work Pretty Well
In-Reply-To: <20030612202450.1BC97DE41@dumbo.pobox.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Thu, 12 Jun 2003 22:58:04 -0400

At 04:24 PM 6/12/2003 -0400, Meng Weng Wong wrote:
>[..]
>    Matching sender domain with client IP is a strong predictor of spamminess.

We already know that, that's why people are pushing the RMX-like proposals 
to make sure that the basic flaw in SMTP is taken care off. However, there 
are still some gray areas such as people who are traveling, and domains 
providing email service for other domains.

>[..]
>  The classifier scheme is described at
>http://dumbo.pobox.com/spam-sensor/.

Your classifier scheme seems to work similar to the scheme used by 
TitanKey's system. In TitanKey's system, a "550" is issued to every message 
based on the assumption that spammers clean their lists because of SMTP 
errors. Then a challenge is issued to the receiver and the regular C/R 
process takes off. In your system, a "4xx" transient error code is issued. 
This is based on the assumption that:
o Spammers won't retry after they get a deferral

During the discussion about TitanKey's system, many people have stated that 
these basic assumptions have no valid data backing them up. Unless someone 
here is an "honest" spammer [sic], no one in the group can really provide 
any data as to what goes on behind the scenes on the spammer side. The 
advantage of your system is the same as TitanKey: the message is rejected 
before its received, thus reducing costs of dealing with storing the 
processing such message. However, whether the assumption here tends to be 
correct or not, is beginning to crop up all over, like you mentioned on 
your page. It would be interesting to see what spammers are doing but in 
any case this solution is probably a temporary fix.

>Conclusion 1: aol, hotmail, and yahoo have successfully implemented
>outbound antispam technology, ie. ways to ensure that only humans sign
>up for their accounts, or limits on per-account outbound message volume.

See my previous message some time ago about Hotmail's scripting abilities. 
Providers, especially the free ones, have a long way to go to reduce 
outbound message volume.

>[..]
>
>Conclusion 2: Client IPs whose PTR do not match their sender domains are
>more likely to be spam than not.

That's why AOL rejects email from addresses without PTRs (see 
http://postmaster.info.aol.com/standards.html)

>But that means a scheme like SPF/DMP/RMX should work nicely.

It is very useful to see real-life data once in a while. Thanks.

Yakov


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.31.3 | Report a Bug | By Email | System Status