ietf-asrg
[Top] [All Lists]

Re: [Asrg] Time for the ISPs to fight back!

2003-03-05 15:05:22
On Wed, Mar 05, 2003 at 03:53:35PM -0500, Kee Hinckley wrote:
At 7:52 PM +0000 3/5/03, Richard wrote:
Instead I suggest that the detection software at ISPs should respond 
to the spam it detects. This wouldn't effect the few false positives 
that are found, in fact it would be a service as it would advise 
them to rephrase their subject line.

This is why everyone is talking about authenticated senders.  You 
cannot reply until you know who to reply to.  The message arrives 
from a machine not owned by the spammer.  The from address isn't 
owned by the spammer.  The web address listed in the email may only 
be up for a matter of hours before it is shut down.  In fact often 
even the domain records get changed by the spammer after the spam has 
been out for a few hours.  Any form of automatic reply promptly turns 
into a very convenient way to abuse innocent bystanders.  It all 
comes back to authentication.

  People might want to look at the recently-implemented Postfix
sender verification feature in current snapshot releases.  

  This is only a few months old, but it does, nicely and carefully, a
lot of what people are discussing or asking for.

* In verifying the sender address, it gets as far as connecting, doing
MAIL FROM: <> and verifying a 250/5xx for the RCPT TO, then does a RSET
on the machine it is verifying it on before disconnecting.

* If it gets a 250 for the sender address, it passes that particular
test, and if the other UCE tests pass it will return a 250 acceptance
to the sender.

* If it gets a 5xx, it remembers the address as invalid, and returns a
failure to the sender.

* If it is unable to immediately validate the sender, it returns a 4xx
SMTP code requesting a retry, while it continues attempting the
validation so it will have the answer when they do retry.

* It caches positively and negatively validated sender addresses, so as
not to overload real or forged sender sites with queries.

* It supports whitelisting of various kinds to prevent hammering
mailing list machines.  (In particular those that use VERP in which
case none of the sender addresses will be "valid" as such.)

  Note that with this feature, if a spammer domain has no valid MXes,
or has MX set to 127.0.0.1 or 0.0.0.0, hey presto! They'll never be
able to mail you.  Likewise if they are forging a (fake) user at a
valid domain, the domain owner would probably rather get the validation
query then a whole series of bounces to nonexistent users.

  It's not a magic bullet, but it provides interesting and useful
functionality, and a number of sites are now running it pretty happily.

  -- Clifton

-- 
     Clifton Royston  --  LavaNet Systems Architect --  
cliftonr(_at_)lava(_dot_)net

  "If you ride fast enough, the Specialist can't catch you."
  "What's the Specialist?" Samantha says. 
  "The Specialist wears a hat," says the babysitter. "The hat makes noises."
  She doesn't say anything else.  
                      Kelly Link, _The Specialist's Hat_
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg