IETF Logo Mail Archive

Re: [Endymail] spam versus cleartext

"John Levine" <johnl@taugh.com> Sun, 07 September 2014 17:02 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: endymail@ietfa.amsl.com
Delivered-To: endymail@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 609BE1A02FC for <endymail@ietfa.amsl.com>; Sun, 7 Sep 2014 10:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.163
X-Spam-Level: **
X-Spam-Status: No, score=2.163 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9N1Co4YeG66A for <endymail@ietfa.amsl.com>; Sun, 7 Sep 2014 10:02:32 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 127681A0476 for <endymail@ietf.org>; Sun, 7 Sep 2014 10:02:31 -0700 (PDT)
Received: (qmail 65895 invoked from network); 7 Sep 2014 17:02:29 -0000
Received: from miucha.iecc.com (64.57.183.18) by mail1.iecc.com with QMQP; 7 Sep 2014 17:02:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=3a29.540c8fa5.k1409; i=johnl@user.iecc.com; bh=llF5RGPcbmY3u8+Pkol7FRCk01nZpis1wVrsyVunJ4U=; b=zscptxdY9mz79s/B/dS6QQYM+dQ1jsiD4ml/eZ/5Kpogm0khaEgDkhzYasn2GM4FZF8cIlgp5UkUfpObfz/Tqg2EGmDzBlMIYRV63ZS6Muttfghh9WFrnqqRY0bGR2buxQkXRPFgGxte5clrxUYrlVzy0yZTLvX9IWQL3KVhX8JSFNDejELH23zrRq0JyyqWrM7xCjkPQDXldoSkPt/gM4gUo88tG2szTggep1E6JH1BNiOj6xuTl5WveUxeckJ4
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=3a29.540c8fa5.k1409; olt=johnl@user.iecc.com; bh=llF5RGPcbmY3u8+Pkol7FRCk01nZpis1wVrsyVunJ4U=; b=dE0B+b8uCdFp19cRokC4C5vWBl5Rtkjn/KPoa8WrnKRUrmLT2vhWl3EDr/GDZN9yWIQur7345hqQ7VbG8kL0B1x+FL7vbyB0MTBAtC7lqccXJlddvE51nbjJ1hsz5L94ERmnWyGg9exABQXvhR4Ic8LEg+FdDy63LzxYw4YW2Oqml7GMuZmYvWLsXCw24cslvukpZLYa965xEA6aTdUH6UHTTYYbgz92qudclugJSvn/78AM2iunbnB7Ap6j0YyJ
Date: 7 Sep 2014 17:02:07 -0000
Message-ID: <20140907170207.14888.qmail@joyce.lan>
From: "John Levine" <johnl@taugh.com>
To: endymail@ietf.org
In-Reply-To: <CACsn0cka7oDGi=UzSnM96+18QZ8U-1mADOn_ieVZZ6a+m5wUrw@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/endymail/Y_UzBNQnhAToprUHLwoE6B9OFLc
Cc: watsonbladd@gmail.com
Subject: Re: [Endymail] spam versus cleartext
X-BeenThere: endymail@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <endymail.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/endymail>, <mailto:endymail-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/endymail/>
List-Post: <mailto:endymail@ietf.org>
List-Help: <mailto:endymail-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/endymail>, <mailto:endymail-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Sep 2014 17:02:33 -0000

>To connect to server side filtering, the filtering engine on the
>server just needs to put probabilities it thinks that the message is
>spam in the headers, as well as have a standardized means for the
>client to report spam or ham. This doesn't seem that complicated: just
>a double and some sort of forwarding info to get the backchannel.
>(This assumes naive Bayes as a filter design)

Keeping in mind that upwards of 90% of mail is spam, you're going to
be downloading an order of magnitude mail if you do the filtering on
the end device.  On a desktop with a cable connection that's probably
OK.  On my phone, it's not.

>True: how much does DKIM+sender based blacklists do vs. filtering
>based on content?

In terms of volume, IP blacklists are still by far the most effective,
since they knock out most botnet spam.  Other than DMARC, which is a
separate can of worms, I don't know of anyone who does message
rejection based on DKIM signatures.  There's a whole lot of body
filtering going on.

R's,
John

v2.8.7 | Report a Bug | By Email