Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (athena.apache.org: local policy)
Message-ID: <48517319.3090107@netoyen.net>
Date: Thu, 12 Jun 2008 21:03:53 +0200
From: mouss <mouss@netoyen.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Linda Walsh <sa-user@tlinx.org>
CC: SA-users <users@spamassassin.apache.org>
Subject: Re: Discussion side point: levels of Trust
References: <17763488.post@talk.nabble.com> <484EF43B.1060809@leisi.net>
 <484F79C8.8030106@leisi.net> <485071FE.5010001@tlinx.org>
In-Reply-To: <485071FE.5010001@tlinx.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Linda Walsh wrote:
> Matthias Leisi wrote:
>> 1) This advice:
>> | Tue Jun 10 14:55:36 2008 [72096] dbg: conf: trusted_networks are not
>> | configured; it is recommended that you configure trusted_networks
>> manually
>>
>> should not be ignored. Setting trusted_networks would slightly reduce
>> the number of DNS lookups and can avoid all sorts of funny error
>> situations.
> ========
>
>     How does one decided on 'trust'?  I.e. I think it would be
> useful to assign a probability to "Trust" at the least.  I mean do I put
> my ISP in my trusted server list?   -- suppose they start partnering with
> an ad-firm?  Or.. get bought-out? 

if they forge headers in mail you get, then you have a bigger problem 
than just spam. and in most countries, such an ISP can be sued. it's one 
thing to send spam. it's another story to falisify data. you don't even 
need to sue. just pass the info to other users. what if the ISP starts 
replacing http responses with pages of their own? what if they start 
phishing?


> ... I probably won't know most of their
> internal politics...  ISP's in some eastern state have already 
> committed to
> filtering arbitrary sites based on local values and arbitrary listing
> policies(?)  This whole 'save-the-child-porn' shtick the government is
> using as a necessary excuse to violate computer privacy is unacceptable.

don't tell me about that. we (in .fr) used to have very good privacy 
laws, but it seems these days are gone (or on the way). As B. Franklin 
said: People willing to trade freedom for temporary security deserve 
neither and will lose both.

>
> They did the same thing -- claimed they needed intrusive powers to 
> protect
> against terrorists -- but 80% of the people they've used those powers
> against have been for 'common crimes' (or drug prosecutions).
> In the UK, they are using anti-terrorism surveillance-cams to
> enforce doggie-doodoo pickup laws!
> In the US, the government is using "passenger manifests" of arriving, 
> overseas
> flights, to detain and arrest foreign businessmen and citizens on 
> civil and
> non-violent criminal investigations.
>
> But those are general complaints about untrustworthiness of previously
> trustworthy entities....
>
> I don't have a binary trust value, really.  As an example,
> going from most trusted to least, I might have:
>
> - a lab/build/test machine (linux usually)
> - internal server proxy to out-net (linux)
> - windows XP desktop (its windows, no direct outside connect, but can 
> proxy)
> - my ISP's servers
> - root DNS servers (arguably more trustworthy than most ISPs, but since
>    I have to go through my ISP to get to them, _logically_, how can I
>    trust them more?)
> - HTTPS-personal money sites...(for some things more trust than my 
> ISP, but
>     they are 'banks' -- so that trust is with some grains of 'salt'
> - Mainstream web-providers (varies based on reputation, but examples 
> would
>     include Google, BBC(.co.uk), various online businesses with physical
>     presence, 'seem' more trustworthy (at least you know where they 
> are based?)
> - government sites, Depends.  from 'ok' trust to downright untrustworthy.
> - unknown sites / known bad sites...
>
>