[milters] Archive

Lists Index Date Thread Search

Article: 259
From: April Lorenzen
Date: 2004-11-28 13:39:36 -0500
Subject: Re: milter-mole

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support

Hi Jeff,

SNMPTrap potentially has security / anti-spoof benefits over the SIQ
protocol *for the purpose of sending data which will be used as facts to
score domains, ips or domain+ip pairs.* It was just a wild suggestion and
I don't think it (SNMPTrap) panned out. We are not presently concerned
with how to collect trustable data from inbound servers / recipients.

The SIQ protocol is optimized for speed, and once we determined there is
no requirement to be able to trust the data the SIQ "reputation" server
receives - people spoofing queries is not an important issue. They can
spoof all they want - they are the only user of the response they get
back, and the queries they send are not used as input to the "reputation"

Vitalij's milter-mole seems much more like GOSSIP to me - but in V's
suggestion - many trusted reporting nodes send data to a central server
and apparently the mole also signals 'we thought this was bad' or maybe
even 'we thought this was good'

The SIQ protocol "reputation" service I operate doesn't use judgements
from any source in determining scores. It (the Outbound Index) is based on
facts about the domain, ip, domain+ip, nameservers and related criteria.
The Outbound Index facts are about longevity and stability - how long has
the domain, or name server, or IP been around / assigned to this usage -
showing a pattern of wildly varying "customers" / forgeries vs dull stolid
consistency of most legitimate senders, also whether identity is obvious
or concealed.

The "security" factors are also part of the Outbound Index structure - for
example, a free webmail that requires zero verification of identity to
sign up - and has no rate limiting - has a lower security rating than a
bank with tight policies - no one but their own employees have access to
their outbound server, and their employees are required to use port 587
submission for any mail sent with the bank domain.

I don't like the term reputation - because it may be taken to be
subjective judgements or conjure up visions of "samples of spam" used to
justify blacklists, or some geek like me deciding whether or not
recipients get to see ads for di-et patches or V or C or p o rn or
whatever. But "reputation" seems to be the term we are stuck with. The way
we use the Outbound Index is all pre-DATA so there is certainly no

Thank you,

- April

>  From my reading of both Vitalij's email above and the discussion on the
> wiki that you provided, I think that both are basically barking up the
> same tree.
> As an additional question generated by my reading, what were the
> benefits of using SNMPTrap over the current DNSBL arrangement?
> Thanks,
> Jeff G.

>>>milter-mole: This
>>>module will post periodically on the central server of address of ip
>>>and e-mail sender and destination address in case if a sender or
>>>recipient is not improper. In case if ip or e-mail sender or e-mail
>>>recipient often repeat oneself at all participants on the amount of
>>>voices to block an ip and e-mail sender. And also I ask to consider
>>>possibility of creation of support sql (mysql) for the local use in
>>>the personal aims.

Lists Index Date Thread Search