THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Use PGP to try to find a trustpath.
- Checking the direct trust should be relatively simple if one has access to the user's keyring. But what about server side filtering?
- Is it feasible to query servers for an indrirect indirect trust path, too? What's the overhead?
- JustinMason: imo this is definitely a good idea. I'm worried about the CPU overhead of checking GPG sigs, but caching recently-seen "good" sigs in a cache keyed on From-address and first untrusted IP address from the Relays header would help that. Also, gaining access to GPG from perl isn't easy; the CPAN modules are not great. imo the cleanest option may be running GPG directly from a plugin.
FOAF
Wiki Markup How can we incorporate \[http://www.foaf-project.org/ FOAF\]? Querying the website each time has quite some overhead, some caching is needed.
- How to access? XML-RPC or some DNSDB gateway? (Have you noticed that DNS gets abused for quite some things?)
- JustinMason: in thinking about this in the past, I considered that possibly the best way would be to have a crawler run from cron which generate a local cache of the remote data. however, one issue is that FOAF does not specify relays, just email address hashes; so this means that it's vulnerable to spammers faking the From addr. See 'Using From For Whitelisting Problems' below.
Web-O-Trust
Wiki Markup The \[http://web-o-trust.org/ Web-O-Trust\] project is relatively dead, maybe we can revitalize it.
- It should be possible to implement the Web-O-Trust syntax in XML and put it into FOAF files.
- JustinMason: I have always argued that Web-O-Trust needs a way to specify various degrees of trust, as well; ie. "this server will never originate or relay spam", "this server is trusted not to be subverted by spammer code, but may relay spam originated elsewhere", etc.
LOAF
Wiki Markup I dont't like the idea at all, but \[http://loaf.cantbedone.org/ LOAF\] might be worth looking into, too. \\ \\.
- JustinMason: big problem in my opinion is that the LOAF files are attached to each mail sent. bulky and messy!
Geo info
Wiki Markup \[http://www.corante.com/many/archives/2004/03/19/loaf_social_email_filtering.php This\] posting about LOAF made me think that it might be possible to use a website's published Geo information (how near am I geographically to the sender). \\ \\- JustinMason: several spammers live near me!
Querying Addressbooks
Wiki Markup I already implemented a \[http://msquadrat.de/archive/04/03/22/01 quick hack\] for to query my KAddressbook from KMail for qhitelistingwhitelisting. What about querying LDAP servers? \\ \\
- JustinMason: see also 'Using From For Whitelisting Problems' below
Social Networks
- I guess quite some of them have some API available so it should be possible to write specific plugins for the services. I'd prefer if they just published FOAF profiles though.
- JustinMason: http://www.tribe.net/ publishes FOAF.
Six/Four
Wiki Markup A friend pointed me to \[http://www.hacktivismo.com/projects/ Six/Four\], no clue how that could fit in, just noting it here. \\ \\
Using From For Whitelisting Problems
One common problem that appears when using just email addresses for whitelisting, is that spammers routinely fake the From address to appear to be
- the recipient's email address
- another email address at the recipient's domain
- another email address from the address list in the recip's domain
if we use just the From address with an address-based whitelisting scheme, it will be vulnerable.
The solution is to either:
- use IP address info from the Received headers or the last untrusted relay, and combine that with the address to come up with a combined email-and-ip address, similar to how the AutoWhitelist does it.
- require that any whitelisted address be on a domain that publishes SPF records.