Re: [Asrg] Development of an object assessment format/protocol

Martijn Grooten <martijn.grooten@virusbtn.com> Mon, 04 March 2013 18:28 UTC

Return-Path: <martijn.grooten@virusbtn.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F61D21F8DE5 for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 10:28:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVzKMoVfemPb for <asrg@ietfa.amsl.com>; Mon, 4 Mar 2013 10:28:40 -0800 (PST)
Received: from mx4.sophos.com (mx4.sophos.com [216.47.234.213]) by ietfa.amsl.com (Postfix) with ESMTP id 9418E21F8E0C for <asrg@irtf.org>; Mon, 4 Mar 2013 10:28:40 -0800 (PST)
Received: from mx4.sophos.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id F134B4E034C for <asrg@irtf.org>; Mon, 4 Mar 2013 18:28:38 +0000 (GMT)
Received: from ABN-EXCH1A.green.sophos (abn-exch1a.green.sophos [10.100.70.61]) by mx4.sophos.com (Postfix) with ESMTPS id 7C29E4E0343 for <asrg@irtf.org>; Mon, 4 Mar 2013 18:28:38 +0000 (GMT)
Received: from abn-exch1b.green.sophos ([fe80::dc96:facf:3d2c:c352]) by ABN-EXCH1A.green.sophos ([fe80::67:3150:dacd:910d%15]) with mapi id 14.02.0328.009; Mon, 4 Mar 2013 18:28:37 +0000
From: Martijn Grooten <martijn.grooten@virusbtn.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Thread-Topic: [Asrg] Development of an object assessment format/protocol
Thread-Index: AQHOGNxQAb9aIe4DYkedCXol+NqIjpiVkAvAgAAxlwCAAAvtcA==
Date: Mon, 04 Mar 2013 18:28:36 +0000
Message-ID: <0D79787962F6AE4B84B2CC41FC957D0B20C05B52@abn-exch1b.green.sophos>
References: <20130304132924.GA27928@gsp.org> <0D79787962F6AE4B84B2CC41FC957D0B20C05A58@abn-exch1b.green.sophos> <5134D304.5040702@bofhland.org>
In-Reply-To: <5134D304.5040702@bofhland.org>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.100.110.133]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Asrg] Development of an object assessment format/protocol
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2013 18:28:41 -0000

Emanuele Balla (aka Skull) wrote:
> Straight to the point: abusive URLs on legit domains . There's no
> (easy/effective) way to encode an entire URL in a DNS request.
> At least, that's the reason why I've been thinking about this topic for the last
> 4 years... :-\

Can't you just use HTTP for that? There is an easy and effective way to encode URLs in HTTP - and HTTP is pretty good at returning all sorts of responses: a single character (0=good, 1=bad), some XML, some JSON, something else. There is obviously some overhead from the TCP connection and the request and response headers, but I wonder if there are many cases in which:
- this overhead is a huge problem;
- the request can't easily be 'encoded' into DNS.

Rich's examples all seem pretty easy to encode into DNS, but more importantly, to me they shout for HTTP POST. When Rich's idea of asking for context (expiration time, range to which the answer applies) is used well, it could actually save you a lot of further requests.

Note: some web proxies are already using HTTP to make requests about whether a particular URL is bad. In web proxies time really does matter (delaying all web pages by a second seriously affects perceived performance).

Martijn.


________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.