On February 15, 2023 10:18:50 PM UTC, "Murray S. Kucherawy"
<superu...@gmail.com> wrote:
>On Wed, Feb 15, 2023 at 5:39 AM Scott Kitterman <ietf-d...@kitterman.com>
>wrote:
>
>> Any reputation based solution does have down scale limits. Small mail
>> sources
>> (such as your random Nebraska forwarder) generally will have no reputation
>> vice a negative one and so wouldn't get penalized in a scheme like the one
>> I
>> suggested. This does, however, highlight where the performance challenge
>> is.
>> We've moved it from duplicate detection to rapid assessment of reputation
>> for
>> hosts that have sudden volume increases.
>>
>
>I wonder if this could be separated into "reputation" and "hosts that have
>sudden volume increases".
>
>Reputation is hard. Large operators spend a lot of R&D time coming up with
>algorithms that accurately (for some value thereof) compute the reputation
>it should associate with an identity. That investment means they're not
>inclined to share that secret sauce. Small operators without those
>resources long for an open source solution, or a cheap or free service from
>which they can reliably get reputation data. Companies that offer
>reputation data for public consumption have been sued out of existence by
>people that get marked as suspect, so really good ones don't seem to abound
>last I checked.
>
>There's a lot less secret sauce involved in the latter. It would be
>interesting to see if some simple recordkeeping of this nature could make a
>dent in the problem space we're discussing. But that might just encourage
>further distribution of the attack to avoid detection.
I think it could, but it has its own scaling problems.
Further distribution has two sides:
If I have multiple hosts (for any of the many reasons one does) and the
attacker hits all of them with some fraction of the attack volume, that doesn't
materially increase the cost of the attack.
If I can rapidly share rate data among my hosts so that distributing volume
among them doesn't help avoid volume detection, then that either raises the
cost of the attack (need more IP addresses to send from) or reduces it's
effectiveness (messages blocked due to being over rate). Either of those
results are good things, but whatever the process is, it's no longer simple.
This is the flip side of reputation in a way. Technically easy for small
domains, but hugely harder at any significant scale.
Scott K
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
