...
- Use PGP to try to find a trustpath.
- Checking the direct trust should be relatively simple if one has access to the user's keyring. But what about server side filtering?
- Is it feasible to query servers for an indirect trust path, too? What's the overhead?
- JustinMason: imo this is definitely a good idea. I'm worried about the CPU overhead of checking GPG sigs, but caching recently-seen "good" sigs in a cache keyed on From-address and first untrusted IP address from the Relays header would help that. Also, gaining access to GPG from perl isn't easy; the CPAN modules are not great. imo the cleanest option may be running GPG directly from a plugin.
This would be a very good idea. The bigist problem is the resorcese and time it would take to check the signatures of a message and then find the chain between the servers key and the senders key.
I think it would be a good idear to give each instalation of spam assasin its own gpg key and use that key to sign the keys of the users of the server and the keys of any other servers that are used at the same site or are cominly comunicated with. This way you are only finding the key chain from one key to the sender and the cache database would be easer to implement.
FOAF
Wiki Markup How can we incorporate \[http://www.foaf-project.org/ FOAF\]? Querying the website each time has quite some overhead, some caching is needed.
- How to access? XML-RPC or some DNSDB gateway? (Have you noticed that DNS gets abused for quite some things?)
- JustinMason: in thinking about this in the past, I considered that possibly the best way would be to have a crawler run from cron which generate a local cache of the remote data. however, one issue is that FOAF does not specify relays, just email address hashes; so this means that it's vulnerable to spammers faking the From addr. See 'Using From For Whitelisting Problems' below.
...