[Mimedefang] IP Reputation data collection (announcement, Internet draft)
Kevin A. McGrail
KMcGrail at PCCC.com
Fri Apr 30 13:28:30 EDT 2010
PREFACE: I've been running the event reporter in our milter
implementation and using the data stream via DFS' RBLs on one production
system with nothing but good news so far. I also trust DFS
interpretation of RFCs and mail protocols as he is very knowledgeable.
I could nitpick things but overall it's a good system he's designed and
the paper accurately describes the goal and protocol.
I support this and think a wide-network of reports from systems to
aggregators would be huge step in blocking spammers. I can also comment
that I've seen (and worked with) quite a few systems that are downright
hodgepodge compared to DFS's implementation of reporting various
information.
So with that said, here are some comments.
I think adding more events are needed to be considered for the initial
draft. There is also the potential need for additional information on a
report that should be considered. So not all of these are EVENTS.
For example, these are 7 more items that I think would be invaluable to
report. Brainstorming to come up with more to add EVEN if you don't use
them but to define them in the RFC would be good in my opinion.
1 - including the product / version used for auto-ham/spam and the
automated score & threshold of a spam
2 - including virii/malware as a note
3 - dangerous attachments and a filename
4 - dangerous content
5 - reverse DNS failures
6 - improper HELO/EHLO statements
7 - invalid MX records
I liked that in in #3 that REPUTATION database is not specific to
indexing by IPv4 or IPv6. The system should be extensible to report
more data such as the email address of the sender or recipient, the
subject of the email, etc. In theory, the system could even replace
Razor so it could include a hash of the email, etc. But I would likely
caveatthe first sentence with "index by IPv4 or IPv6 address as oner
example".
In the same way, #2 Introduction, specifically talks about IP based
lists. You might want to broaden that to keep people in a broad mindset.
The use of port 6568 could be expanded to stated something like unless
the AGGREGATOR utilizes an alternate port or something. I have other
listeners on 6568 already, for example.
4.2 would be best organized into 4.2.0 for reserved, 4.2.1 for
GREYLISTED, etc. so that all event types have a clear report
restriction. Then 4.2 should be restrictions for all events like IPv4
Does " a priori knowledge" mean something or is it a grammar/spelling issue?
I would include an extract definition of [GREY] in section 7 in addition
to the reference. It's a term that confuses a lot of people that I
discuss anti-spam with that aren't anti-spam researchers.
regards,
KAM
On 4/30/2010 10:23 AM, David F. Skoll wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> We've been working on an IP reputation system for our commercial product
> for a while now. I'm soliciting comments on an Internet draft; it explains
> the wire protocol we use to collect data. I think having a standard
> way to collect reputation data would be a good idea.
>
> Anyway, the Internet draft is available at:
>
> TXT: http://www.roaringpenguin.com/draft-dskoll-reputation-reporting-00.txt
> HTML: http://www.roaringpenguin.com/draft-dskoll-reputation-reporting-00.html
>
> Working Perl client code can be downloaded from
> http://www.mimedefang.org/download; it's the RPS::Mail::EventReporter module.
>
> We have been collecting IP reputation for several months now. We have
> about 900 million individual reputation events in our database, and
> we've created for DNSBLs. We are selling rsync access to the DNSBLs;
> please contact<sales at roaringpenguin.com> if you are interested.
>
> You can try them out (low-volume, manual lookups only!) at
> http://www.roaringpenguin.com/node/repcheck
>
> Regards,
>
> David.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iD8DBQFL2ufowYQuKhJvQuARAtDFAJ9d3swbjK8mZvp98t44/YhUf1zQ2QCgiVc/
> OoTLz0iIJ99v+zD9jzVeIvY=
> =Br+7
> -----END PGP SIGNATURE-----
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID. You may ignore it.
>
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20100430/9c535b3c/attachment.html>
More information about the MIMEDefang
mailing list