Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers)

J.D. Falk jdfalk at cybernothing.org
Sun Feb 6 17:41:35 UTC 2005


On 02/05/05, Douglas Otis <dotis at mail-abuse.org> wrote: 

> On Sat, 2005-02-05 at 19:10, J.D. Falk wrote:
> > On 02/05/05, Douglas Otis <dotis at mail-abuse.org> wrote: 
> > 
> > > DK or IIM makes it clear who is administering the server and this
> > > authentication permits reputation assessment.  Add an account
> > > identifier, and the problem is nailed.
> > 
> > Ah, so you're saying that only the reputation of individual
> > e-mail addresses is worth paying attention to?  How do you
> > expect that to scale to billions of messages per day?
> 
> Without authenticating an identity, it must not be used in a reputation
> assessment.  Currently this is commonly done by using the remote IP
> address authenticated through the action of transport.  In the name
> space there are two options, the HELO and a validated signature.  DK and
> IIM are attempting to allow the signature solution to scale.

	Heh, you don't need to convince me that DomainKeys is a good
	idea.  I just don't see how you're jumping from the issue of
	end-user authentication (which is not free from zombies, as 
	others have explained already) to domain-level reputation.  
	Where's the link?  If you're talking about adding user-level 
	signatures to something like DomainKeys (which we already have 
	in s/mime), how do you propose to scale that to interact with
	the reputation determination for billions of messages per day?

-- 
J.D. Falk                                          uncertainty is only a virtue
<jdfalk at cybernothing.org>                    when you don't know the answer yet



More information about the NANOG mailing list