spamassassin-users October 2010 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: Collecting IP reputation data from many

Re: Collecting IP reputation data from many people

From: David F. Skoll <dfs_at_nospam>
Date: Thu Oct 28 2010 - 17:05:57 GMT
To: users@spamassassin.apache.org

On Thu, 28 Oct 2010 12:43:51 -0400
Darxus@ChaosReigns.com wrote:

> On 10/28, David F. Skoll wrote:
> > Perhaps you have heard of a recent phenomenon called "a botnet"?
> > Just what security do you think TCP really buys you?

> Requiring them to use the botnet.

In other words: No security at all.

> > And what kind of account registration do you envision that lets you
> > easily register "millions" of accounts?

> Free. Unrestricted.

That's completely at odds with your remarks below that you don't
expect scaling to be an issue.

It will also make your data practically worthless.

[...]

> > That's why I think it's folly to accept IP reputation submissions
> > from people with whom you have no trust relationship. They could
> > be feeding you utter garbage and you'd never know.

> Yeah, that's the primary problem with what I was talking about. As I
> said. The reason I posted about it. I think it might be possible to
> get useful data out of it. It would probably be challenging.

> Which is precisely why I feel it is absolutely necessary to prevent
> the sender IP forging which UDP allows.

That's ludicrous. Our system ties a report to a specific user.
How does tying it to a specific IP address improve security?

[...]

> So if I just open a socket, dump over the IP, whether it's ham or
> spam, and maybe a protocol version, it just won't work huh?

Go ahead and try it. I agree that there's no point in building on
the work of others; that's not for 1337 H4x0rs.

> That RFC is a great checklist. But I really don't see a reason to
> conform to it.

Sure, whatever. NIH run amuck, I guess.

[...]

> I expect scaling to be much more of an issue with your reputation
> system than the free system I've been talking about.

That's crazy. We restrict the number of people who can report to our
customers and a handful of people we trust. You're planning on making
it "Free. Unrestricted." So scaling will be a HUGE issue for you.

> And if I'm wrong, I hope others will donate server resources. As
> has happened with similar projects.

Heh! :-) Way to plan for scalability... throw hardware (that you don't own)
at the problem. :)

(Btw, why do you think DCC uses UDP for its reports?)

> Also, sender IP forging.

Sender IP forging is a red herring. We have an authenticated user name.
That's far stronger authentication than knowing an IP address.

Also, there are simple countermeasures to detect if a sender's credentials
have been stolen and data is spewing from many faked IP addresses. It's
easy enough to spot anomalies.

> > Remember, our system is designed to scale to tens or hundreds of
> > thousands of reporting systems sending tens or hundreds of
> > thousands of reports per second.

> That's great. And not what I expect to do.

Well then... what exactly DO you expect to do?

-- David.