[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Not exactly not a threat analysis
* william elan net:
> On Wed, 17 Aug 2005, Tony Finch wrote:
>> There's a lot more information available about domain names than about IP
> I disagree.
And much of the data available for domain names is typically either
forged (owner information, for example) or volatile (name server
> For through-away domains whois data is not reliable (and that just like
> with email there is no protection against using somebody else's address)
In addition, sometimes you can't get WHOIS data for such domains in
time, depending on the TLD.
> and ns servers could simply be default ones provided by domain registrar.
> OR often point to compromised machine (zombie, hacked server, compromised
> dns service, etc) and with changes introduced by Verisign this year they
> can now be quickly (within 15 minutes) changed whenever the compromised
> machine is discovered and filtered (which is exactly what happens to
> phish email used domains I've investigated).
Yes, that's exactly what I see as well.
> In the end the most reliable way to detect and filter these domains is
> actually based on ip address of the the server hosting the website for
> the advertised and used domain (for order taking). So I'm not at all
> certain that doing reputation on per-domain basis will be easy (in fact
> I think it would be more difficult then on per-ip).
That's my current expectation as well.
> The good thing is that for non-through away domains (those that have
> been used for a while) the reputation can be accumulated overtime and
> can be quite useful but it will take quite some time (years) before
> we're able to get to the point that this is possible (i.e. relying
> primarily on positive reputation score).
There's one situation were a standardized sender authentication scheme
is immediately useful: As a large mail provider (think Hotmail), you
want to pass legitimate bulk mail (e.g. DARTmail) to your customers.
With SPF and the other schemes, the mail provider can delegate
maintainance of authorization information (which IP address space
belongs to DARTmail's outgoing relays?) to the bulk mailer, and the
bulk mailer has to maintain this data just once, and not individually
for each mail provider.
In fact, SPF is already used in this way, to increase the amount of
legitimate spam in circulation.