[77789] in North American Network Operators' Group
Re: Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers)
daemon@ATHENA.MIT.EDU (J.D. Falk)
Sun Feb 6 12:42:02 2005
Date: Sun, 6 Feb 2005 09:41:35 -0800
From: "J.D. Falk" <jdfalk@cybernothing.org>
To: nanog@merit.edu
In-Reply-To: <1107676147.12003.113.camel@bash.adsl-64-142-13-68>
Errors-To: owner-nanog-outgoing@merit.edu
On 02/05/05, Douglas Otis <dotis@mail-abuse.org> wrote:
> On Sat, 2005-02-05 at 19:10, J.D. Falk wrote:
> > On 02/05/05, Douglas Otis <dotis@mail-abuse.org> wrote:
> >
> > > DK or IIM makes it clear who is administering the server and this
> > > authentication permits reputation assessment. Add an account
> > > identifier, and the problem is nailed.
> >
> > Ah, so you're saying that only the reputation of individual
> > e-mail addresses is worth paying attention to? How do you
> > expect that to scale to billions of messages per day?
>
> Without authenticating an identity, it must not be used in a reputation
> assessment. Currently this is commonly done by using the remote IP
> address authenticated through the action of transport. In the name
> space there are two options, the HELO and a validated signature. DK and
> IIM are attempting to allow the signature solution to scale.
Heh, you don't need to convince me that DomainKeys is a good
idea. I just don't see how you're jumping from the issue of
end-user authentication (which is not free from zombies, as
others have explained already) to domain-level reputation.
Where's the link? If you're talking about adding user-level
signatures to something like DomainKeys (which we already have
in s/mime), how do you propose to scale that to interact with
the reputation determination for billions of messages per day?
--
J.D. Falk uncertainty is only a virtue
<jdfalk@cybernothing.org> when you don't know the answer yet
