RMX method validity and alternatives (was Re: [Asrg] Declaration to the

Chris Lewis a écrit:
> Pierre BRUA wrote:
> > http://www.monkeys.com/anti-spam/filtering/additions.html
> Read a little further.  It only works reliabily enough to be worthwhile 
> for a very limited number of very large domains.
That's what it has been used for by monkeys.com, since they (of course) 
cannot take the time to implement rdns data for everyone.
>  Even if this was RFC'd 
> into some sort of DNS convention or extension, it's trivially bypassed 
> by the spammer choosing envelope senders that don't participate in the 
> convention.
And such envelope sender domain owners, knowing it has been abused by 
spammers, would likely implement rdns records sooner or later, or being 
listed in blacklists of domains abused by spammers _and_ do not apply 
the rdns rfc.
If a domain is abused by spammers, it means for the domain owner 
millions of dns queries to verify that the domain really exist, bounce 
messages from everywhere, complaints, and so on. It doesn't get 
unnoticed and has quite a high network/server load cost anyway.
I know people whose domain has been abused like that and I can assure 
you they have spent a lot of time clearing the mess.
They tried to locate the spammer and intent legal actions, but the 
spammers have already disappeared at that time.
>  Given that, for example, huge chunks of the internet don't 
> have [r]DNS at all, it's pretty clear it'd never become widespread 
> enough to be long-term useful.
Open relays were quite widespread at a time, now there's only around 
250k of it, compared to the millions of mail servers, and most are 
referenced in anti-spam blacklist databases.
You can check some statistics at http://www.ordb.org/statistics/

RMX may follow the same evolution, we will know if we try it.

> In other words, anything that relies on a significant fraction of the 
> non-spammers to do something is doomed to failure.
For getting mail, non-spammers have to do a lot of things, and they have 
no way not to do it and get working domains, namely :
- Get a domain name and pay for it.
- Get DNS servers that manage their domains
- Get MX records associated to the domain name
- Get the mail server listed on the MX records to be there and receive 
emails for the domain from the internet
- create the mail accounts
- maintain valid contacts for domain renewal

Do you feel that optionnaly maintaining an added RMX record would be too 
much ? For most domains it would be set to the MX and/or the network of 
the ISP customer.
> Yes, the technique can be useful sometimes in specific situations.  But 
> not well enough to enshrine into long-term standards, and useless the 
> day after publication.
At least, it will stop domain names from being abused by spammers in 
From headers. Spammers could today DDoS most mail servers on the 
internet with such a method, and noone seems to care.
If you talk to aol, hotmail or yahoo support and marketing teams about 
how bad their company is viewed by internet users due to forged from 
headers ("I receive plenty of spam from aol and hotmail"), and how much 
bounce/network overload they get related to spammers forgeries, you 
would see it would be a significant improvement already.
Spammers could always use reply-to for domains they have no 
authorization for, but that would matter quite less.
> There's a similar heuristic, which is probably more effective in 
> blocking spam - that is, for selected domains, _insist_ that the 
> argument to HELO matches the peer's rDNS domain name in some fashion.
The fact that it currently stop some spam is a side-effect, like if you 
say : I don't accept mail from people who have few mail server 
configuration skills (bad hostname) and/or who are on a network managed 
by someone with low network skills (bad or no rdns records).
If you prefer that point of view, this is almost equivalent to a 
blacklisting of the IP adresses listed on 
http://www.rfc-ignorant.org/how_to_ip.php
This heuristic is also in no way related to the server authority to send 
mail from a certain domain.
> But again, while it's currently useful for some specific sites (eg: AOL, 
> Hotmail/MSN, Yahoo), it's too easily bypassable and compliance will 
> never be widespread enough to enshrine into public standards.
This is an interesting point. If I understand you well, you say that 
spammers will choose domain names that have no rmx records to spam. Like 
when they use open relays.
This give a choice to the recipient.
For example, I can use to implement a email validity confirmation 
request (like tmda.net) for only domains who do not implement rmx 
records or are not blacklisted due to their spamming activity.
This suppress the burden of confirmation for correct domains.

I think (but I understand it may not be your choice) that we are not 
defining a tool that will be perfect or 100% efficient, but one that 
give us quite more control of what we (as mailbox users) choose to receive.
Pierre
--
          PARALLINE          ///        Parallelism & GNU/Linux
                            ///
71,av des Vosges Phone:+33 388 141 740
F-67000 STRASBOURG Fax:+33 388 141 741 http://www.paralline.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg