headers
Martijn Grooten | 1 Nov 2010 20:45
Favicon

Re: Please take a look at the blacklist BCP draft

Chris Lewis wrote:
> >     But I really don't follow why documents like this must proscribe
> > business models.
>
> It's not a business model that's being proscribed, it's conflict of
> interest or the appearance of conflict of interest.  At least with the
> notion of paying for delisting from a block/negative reputation list.
>
> Part of a BCP is providing an ethical guideline.

I agree with that, just as I agree that DNS blacklists really shouldn't ask a fee for (fast) delisting. I'm a
bit hesitant though about saying they MUST NOT do this, seeing as it makes a claim about all sorts of
business models, possibly including some that we may not have thought of, but that we will think are quite
okay. Hence I'd rather see a SHOULD NOT here.

Martijn.

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Permalink | Reply | 0 comments |
headers
John Leslie | 1 Nov 2010 21:28
Favicon

Re: Please take a look at the blacklist BCP draft

Chris Lewis <clewis <at> nortel.com> wrote:
> On 10/30/2010 7:18 PM, John Leslie wrote:
> 
>>  I dislike such fees as much as the next fellow -- I pretty much
>> refuse to pay them (instead renumbering the server in the two cases
>> where I've gotten blacklisted)...
> 
>> But I really don't follow why documents like this must proscribe
>> business models.
> 
> It's not a business model that's being proscribed, it's conflict of 
> interest or the appearance of conflict of interest.

   Then (IMHO) it should be stated as a conflict-of-interest issue.

   In general conflicts of interest call for full disclosure, not
prohibitions.

> At least with the notion of paying for delisting from a block/negative
> reputation list.

   There is an actual cost involved in "early expiration" of a listing:
I'm not comfortable forbidding a charge for that.

   However, I do think it has proven an unproductive business practice,
and I'm quite comfortable recommending against it (in addition to
noting the (widespread) perception of a conflict of interest).

   I think our recommendation should also address the question of how
quickly a listing expires: 7 days (UCEPROTECT) is clearly excessive,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Darxus | 2 Nov 2010 21:39
Favicon

Re: Collecting IP reputation data from many people

I was thinking more about how spammers could game this system, and... I
think obfuscation by reducing the precision of reporting would have
minimal benefit.  The only benefit I was hoping for was minimizing how well
a spammer could tell if he was successfully influencing the system.  And I
don't think it will.

I had been thinking of reporting percentage of email from each IP which is
not spam with maybe only 5 distinct values (10, 30, 50, 70, 90%), and
reporting no information on the actual volume of email from the IP.

Now I'm thinking about providing non-spam percentages, and a number
indicating relative total volume of email from the IP, probably both
with a range of 256 values.  Basically all the precision I think anybody
could find useful.

I'd like opinions on which would be better.

And I'm hesitant to discuss details of why I think obfuscation would not be
useful because I must assume there are spammers intelligent enough to be on
this list :/

If you think it's obvious enough (to spammers) why precision reduction
might have no benefit, go ahead and say it.

On 10/22, Daryl C. W. O'Shea wrote:
> You could avoid bulk amounts of forgery by passing sequence numbers
> back and forth or what not.  I'm thinking we might have been passing

UDP with verification of the sender makes sense.  The Roaring Penguin /
mimedefang implementation, which I think I'll largely copy, uses a
(Continue reading)

Permalink | Reply | 4 comments |
headers
Rich Kulawiec | 2 Nov 2010 22:34

Re: Please take a look at the blacklist BCP draft

I don't think I worded my comments very well; let me try again.

On Sat, Oct 30, 2010 at 08:28:55PM -0400, Chris Lewis wrote:
> A blocklist is generated for the benefit of receivers, and they work
> by providing a negative reputation to someone who's not, er,
> "volunteered".  As such, it's at least conceptually a conflict of
> interest if not outright protection racket to take money from the
> person they stepped on.  "Pay me, otherwise we break your (arm|mail
> server)".

Agreed (well, I think we agree).  In both cases we have possible conflicts
of interest:

	A. You refused to delist $foo because they didn't pay you.
	   (Alternate form: You listed $foo because didn't pay you.)
	B. You delisted $foo because they paid you.

> On the other hand, I can't imagine people paying to be on a DNSBL,
> unless that infers positive reputation (whitelist or something
> similar).  They're "volunteering", and it's for their benefit (and
> hopefully the receiver's (the one who volunteers to _use_ the
> whitelist) benefit too).  Both of them are entering into the
> agreement.

That (something inferring positive reputation) is what I was thinking of.
I can see possible conflicts of interest there too:

	C. You listed $foo because they paid you.
	   (Alternate form: You refused to delist $foo because they paid you.)
	D. You refused to list $foo because they didn't pay you.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Chris Lewis | 3 Nov 2010 00:19
Favicon

Re: Please take a look at the blacklist BCP draft

On 11/2/2010 5:34 PM, Rich Kulawiec wrote:

>> Yes, there can still be accusations that the whitelist is taking
>> money from those they shouldn't to help their bottom line.  But for
>> the most part, the people who _use_ the DNSWL and are big enough to
>> matter in the whitelist's bottom line will know if the DNSWL is
>> telling porkies (user complaints), and simply stop using it.  We
>> know they will fire whitelists that tell porkies, and we know that
>> it will be noticed.  A negative feedback self-correcting thing.
>
> I'd like to agree with this; I really would, because it would be
> great if things worked this way.  But (a) I don't see it happening
> in practice (today) and

I do.  I know of at least one firing of a significant whitelisting 
mechanism.  I am constrained from providing details, other than to state 
that it was big and someone's bottom line took a major hit.

> (b) even if I did, I can still see plenty
> of opportunities for DNSBLs and DNSWLs to engage in considerable
> chicanery while remaining under the radar.  (Of course they could
> do that anyway, for a variety of reasons: caprice, bias, negligence,
> etc.  But I think fees pose much more of an issue than any of those.)

Agreed.

>> The BCP is only about DNS-based lists, so expanding its coverage
>> anywhere near that far _just_ for this would be, I think, vastly
>> overreaching ourselves.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Alessandro Vesely | 4 Nov 2010 20:34
Picon
Favicon

Re: Collecting IP reputation data from many people

On 02/Nov/10 21:39, Darxus <at> ChaosReigns.com wrote:
> I had been thinking of reporting percentage of email from each IP which is
> not spam with maybe only 5 distinct values (10, 30, 50, 70, 90%), and
> reporting no information on the actual volume of email from the IP.
> 
> Now I'm thinking about providing non-spam percentages, and a number
> indicating relative total volume of email from the IP, probably both
> with a range of 256 values.  Basically all the precision I think anybody
> could find useful.
> 
> I'd like opinions on which would be better.

The second format might allow some sort of projective conglomeration of results.

> UDP with verification of the sender makes sense.  The Roaring Penguin /
> mimedefang implementation, which I think I'll largely copy, uses a
> SHA1 HMAC signature using a shared secret (and an 8 byte random report ID).

For the record, let me annotate the url:
http://tools.ietf.org/html/draft-dskoll-reputation-reporting
Permalink | Reply | 3 comments |
headers
Darxus | 4 Nov 2010 20:49
Favicon

Re: Collecting IP reputation data from many people

On 11/04, Alessandro Vesely wrote:
> On 02/Nov/10 21:39, Darxus <at> ChaosReigns.com wrote:
> > Now I'm thinking about providing non-spam percentages, and a number
> > indicating relative total volume of email from the IP, probably both
> > with a range of 256 values.  Basically all the precision I think anybody
> > could find useful.

> The second format might allow some sort of projective conglomeration of results.

What?

--

-- 
"Blades don't need reloading." - The Zombie Survival Guide by Max Brooks
http://www.ChaosReigns.com
Permalink | Reply | 2 comments |
headers
Alessandro Vesely | 5 Nov 2010 09:07
Picon
Favicon

Re: Collecting IP reputation data from many people

On 04/Nov/10 20:49, Darxus <at> chaosreigns.com wrote:
> On 11/04, Alessandro Vesely wrote:
>>  On 02/Nov/10 21:39, Darxus <at> ChaosReigns.com wrote:
>>  >  Now I'm thinking about providing non-spam percentages, and a number
>>  >  indicating relative total volume of email from the IP, probably both
>>  >  with a range of 256 values.  Basically all the precision I think anybody
>>  >  could find useful.
>
>>  The second format might allow some sort of projective conglomeration of results.
>
> What?

If I have reports from both A and B about S, I may want to add their 
results.  I can extrapolate the real volumes Va and Vb that A and B 
got from S by scaling the relative volumes Ra and Rb by, say, the 
volumes I send to A and B, respectively.  Call Ma and Mb these 
"projections" of A and B on My site, and Pa and Pb the percentages 
found in the report.  Then I can reckon their sum as

(Pa*Va + Pb*Vb) / (Va + Vb) = (Pa*Ra*Ma + Pb*Rb*Mb) / (Ra*Ma + Rb*Mb)

One may want to season the projection factors with more ingredients, 
such as the trust granted to the relevant reporter.
Permalink | Reply | 1 comment |
headers
Douglas Otis | 5 Nov 2010 16:55

Re: Collecting IP reputation data from many people

On 11/5/10 1:07 AM, Alessandro Vesely wrote:
>  On 04/Nov/10 20:49, Darxus <at> chaosreigns.com wrote:
> > On 11/04, Alessandro Vesely wrote:
> >> On 02/Nov/10 21:39, Darxus <at> ChaosReigns.com wrote:
> >>> Now I'm thinking about providing non-spam percentages, and a
> >>> number indicating relative total volume of email from the IP,
> >>> probably both with a range of 256 values. Basically all the
> >>> precision I think anybody could find useful.
> >> The second format might allow some sort of projective
> >> conglomeration of results.
> > What?
>
>  If I have reports from both A and B about S, I may want to add their
>  results. I can extrapolate the real volumes Va and Vb that A and B
>  got from S by scaling the relative volumes Ra and Rb by, say, the
>  volumes I send to A and B, respectively. Call Ma and Mb these
>  "projections" of A and B on My site, and Pa and Pb the percentages
>  found in the report. Then I can reckon their sum as
>
>  (Pa*Va + Pb*Vb) / (Va + Vb) = (Pa*Ra*Ma + Pb*Rb*Mb) / (Ra*Ma +
>  Rb*Mb)
>
>  One may want to season the projection factors with more ingredients,
>  such as the trust granted to the relevant reporter.

Not all email is bidirectional, where an amount sent will not reflect an 
amount received.  Received rates are poor predictors of sending rates 
due to nonlinear relationships between sending and receiving.  People 
are able to read only so much.  Volume over time can be expressed as 
absolutes using natural log with as little as 4 bits.  As sending volume
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Nicol | 17 Nov 2010 23:11
Picon
Gravatar

Re: Collecting IP reputation data from many people

On Wed, Oct 20, 2010 at 8:45 PM,  <Darxus <at> chaosreigns.com> wrote:
>   Also, the availability of captcha
> solving for $2 per 1000.

which makes Just Captchas an inadequate pot of sender-pays chili.
Captchas may work very nicely as a non-money entry point though,
that's what I will use them for when I get back around to making my
system go again.
_______________________________________________
Asrg mailing list
Asrg <at> irtf.org
http://www.irtf.org/mailman/listinfo/asrg
Permalink | Reply | 0 comments |

Gmane