Bret Miller wrote:
Before you look at this as just another blacklist - the real
power is in the white and yellow lists. First - an overview.
My list returns these codes:
* 127.0.0.1 - whilelist - trusted nonspam
* 127.0.0.2 - blacklist - block spam
* 127.0.0.3 - yellowlist - mix of spam and nonspam
* 127.0.0.4 - brownlist - all spam - but not yet enough
to blacklist
And hotmail.com warrants being blacklisted?? Ouch.
I do like the idea of white and yellow lists. If I could just get
CommuniGate to add the ability to use it...
CommuniGate has whitelisting, but it has to be a local list.
Though, if you did your whitelist/blacklist/etc. check in a plugin,
using synchronous rules, then you could do it however you want.
Though, what I really want to see in the DNS-list arena is not another
blacklist/etc. I want to see an open reputation list.
Think of it like this:
the last byte of the return is a number from 1-255. This is the hosts
reputation. 128 means completely neutral. 255 means "perfectly spam
free, no danger signs, no worries that this host is sending you spam".
1 means "not only have we never seen ham come from this host, it has all
kinds of danger signals that indicate you shouldn't ever trust them to
do anything useful".
From there, it's up to YOU what levels of result you want to use for
rejecting during SMTP or marking as spam, etc. Do you want to reject
messages whose reputation is lower than 64, and assign different levels
of spam score for reputations from 65-128? It just becomes config
options in your MTA and SA checks.
Things that would likely go into the reputation score:
* long term overall message rate (have we NEVER seen any messages from
this IP before? might be an indication of a fresh zombie)
* short term overall message rate (sudden spike in message throughput
might be an indication of a spam or joe-job flood from a previously good
mail relay)
* long term history of spam or viruses coming from this host (percentage
of spam+viruses/all-messages in the last year or two)
* short term history of spam or viruses coming from this host
(percentage of spam+viruses/all-messages in the last week)
* DNS A and PTR checks (the stuff Botnet does)
* MX record checks
* DNS TTL checks
* DNS registrar reputation
Perhaps other things.
And, it could be used not just on IP address lookups, but also for URIBL
lookups (what is the reputation of this URL?), and mail domain lookups
(so, looking up the sender's mail domain and getting a reputation for
that mail domain).
The main roadblock here is: exact score generation formula, and
gathering the data to build the score database. The closed reputation
lists get this data by basically having their anti-spam appliances
aggregate data and report it back to the home office (Ironport,
Proofpoint, etc., all have reputation list features). So, you'd have to
build a network of reporting entities, and each reporting entity would
ALSO need to have a reputation (so that you can eliminate both the
spammers trying to artificially give good reputations, and eliminate the
zealots trying to lower reputations of good but commercial senders).
