Re: [Asrg] whitelisting links (was Re: misconception in SPF)

Martijn Grooten <martijn.grooten@virusbtn.com> Mon, 10 December 2012 20:48 UTC

Return-Path: <martijn.grooten@virusbtn.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9957B21F868E for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 12:48:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.413
X-Spam-Level:
X-Spam-Status: No, score=-10.413 tagged_above=-999 required=5 tests=[AWL=0.186, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O5vFFJ8RUqXb for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 12:48:18 -0800 (PST)
Received: from mx6.sophos.com (mx6.sophos.com [195.171.192.176]) by ietfa.amsl.com (Postfix) with ESMTP id 40A1521F8646 for <asrg@irtf.org>; Mon, 10 Dec 2012 12:48:14 -0800 (PST)
Received: from mx6.sophos.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 661C775189B for <asrg@irtf.org>; Mon, 10 Dec 2012 20:48:12 +0000 (GMT)
Received: from abn-exch1b.green.sophos (unknown [10.100.70.62]) by mx6.sophos.com (Postfix) with ESMTPS id 39262751794 for <asrg@irtf.org>; Mon, 10 Dec 2012 20:48:12 +0000 (GMT)
Received: from ABN-EXCH1A.green.sophos ([fe80::67:3150:dacd:910d]) by abn-exch1b.green.sophos ([fe80::dc96:facf:3d2c:c352%17]) with mapi id 14.02.0247.003; Mon, 10 Dec 2012 20:48:12 +0000
From: Martijn Grooten <martijn.grooten@virusbtn.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Thread-Topic: [Asrg] whitelisting links (was Re: misconception in SPF)
Thread-Index: AQHN1vYbjsWeST+ksEyDfvs1anZEDJgSRLgAgAARP0mAACTKAIAAAl5z
Date: Mon, 10 Dec 2012 20:48:11 +0000
Message-ID: <0D79787962F6AE4B84B2CC41FC957D0B20AD737F@ABN-EXCH1A.green.sophos>
References: <20121206212116.10328.qmail@joyce.lan> <50C1A95A.5000001@pscs.co.uk> <50C4A7F8.3010201@dcrocker.net> <CAFdugamTbTirVV2zXKOmc9oTaCS+QiTemhT=jvYJnHYscHQK7g@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACE6D0@ABN-EXCH1A.green.sophos> <20121209213307.D90C12429B@panix5.panix.com> <CAFduganBR_E-ui-3Xbic6F7qSmg1-Q+ideXLvb+1isLz8OF0Nw@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACFFE1@ABN-EXCH1A.green.sophos> <50C5A9A0.105@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos> <20121210145627.GA21217@gsp.org> <50C6121D.9040607@dcrocker.net>, <50C617A2.8090602@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD5E36@ABN-EXCH1A.green.sophos>, <50C644F6.3090901@pscs.co.uk>
In-Reply-To: <50C644F6.3090901@pscs.co.uk>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.100.64.11]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Asrg] whitelisting links (was Re: misconception in SPF)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 20:48:18 -0000

>  Remember, the idea wasn't to have a 'global' list of 'good domains', but
> ones which the *user* has whitelisted, so the user recognises them.

OK - I see what is meant now.

Still, how often does the average user visit a domain they've not visited before? For if they constantly have to approve 'new' websites, they're either going to turn the warnings off or they're going to ignore them, which defeats the point.

Note that it is not uncommon for example.com to use iframes that load stuff from the apparently unrelated example.org. This is also commonly used by malicious sites. If a user visits a 'new' site using iframes, should such a system warn against all the domains used by the iframes?

Again, there are a lot of web filters already out there. Can someone explain either why the problem we're trying to solve here is different than the one they attempt to solve or, if it isn't, why our solution will be better?

Martijn.

________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.