On Sun, Sep 7, 2014 at 1:02 PM, John Levine <[email protected]> wrote: > >To connect to server side filtering, the filtering engine on the > >server just needs to put probabilities it thinks that the message is > >spam in the headers, as well as have a standardized means for the > >client to report spam or ham. This doesn't seem that complicated: just > >a double and some sort of forwarding info to get the backchannel. > >(This assumes naive Bayes as a filter design) > > Keeping in mind that upwards of 90% of mail is spam, you're going to > be downloading an order of magnitude mail if you do the filtering on > the end device. On a desktop with a cable connection that's probably > OK. On my phone, it's not. > > I think it would be worthwhile to detail out the operational practices used today for phishing and spear phishing as well. The APWG does a lot of good work with their members to help combat this problem. Their members include financial institution (affected by these attacks), vendors (help with take-down services in combination with law enforcement and service providers of mail servers, malware distributions points linked in phishing emails, etc.) and others venders/service providers assist with maintaining and distributing up-to-date block lists - not just for email, but also for the malware distribution servers linked in email through the help of browser vendors.
Understanding what they need to get their jobs done today and trying to figure out what changes make sense could be very useful. E2e may just change their approach, and that may be fine, but I do think it's important to understand the current environment and side impacts (good & bad) as we move forward. Maybe someone involved int he APWG can help here in a way similar to the email that started this thread? Thanks, Kathleen >True: how much does DKIM+sender based blacklists do vs. filtering > >based on content? > > In terms of volume, IP blacklists are still by far the most effective, > since they knock out most botnet spam. Other than DMARC, which is a > separate can of worms, I don't know of anyone who does message > rejection based on DKIM signatures. There's a whole lot of body > filtering going on. > > Same thing for malware distribution points in phishing attacks, blacklists provided through web browsers is very effective. It uses very few analytic (human) resources and impacts every browser user (enterprise or home). The changes in operational handling of phishing may not be as bad if end users are relied upon most anyway to report, but it would be good to understand how we might be changing things. Thanks, Kathleen > R's, > John > > _______________________________________________ > Endymail mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/endymail > -- Best regards, Kathleen
_______________________________________________ Endymail mailing list [email protected] https://www.ietf.org/mailman/listinfo/endymail
