ietf-asrg
[Top] [All Lists]

Re: [Asrg] Let's try something different

2003-03-08 08:36:27
Kee Hinckley wrote:

> Even the proxy list
> someone recently posted a URL to here promptly gave us false
> positives--including ones for some people on this list!

I suppose I can understand why people have such myopic views of such
things. But one glance at the metrics our tools produce of such things
would make a believer out of just about anyone.

The hugely critical thing is how you handle false positives.  Do you
just sigh, and say "blacklists are STUPID!!!" and turn them off, or do
you take a broader view and get the open proxy fixed? It's not as if a
given FP is something you can't do something about.

A FP or two?  So what?  If you're doing it right, the worst that happens
is that the email is delayed a bit.

For example, there are class Bs in Brazil that have 500 IPs pumping
email at us, and a simple combination of, say, BOPM and Monkeys lists
over 95% of them.  The _accuracy_ of BOPM's and Monkey's listings is
easily seen - virtually every one of those IPs is pumping 10 (or a
hundred or even a thousand) times as much email into our spamtraps as
they manage to address to real users. We're talking hundreds or
_thousands_ of daily spamtrap hits.

The well run proxy lists are fiendishly accurate - at the time the test
was done, they _were_ open, and in almost every case, pumping only spam,
no legit email (remember, that most open proxies are things like default
open AnalogX proxies on ADSL lines that were never intended to send any
email in the first place).

But, of course, this leaves a hole - the blacklists often don't get
realtime notification of closure, and won't know to delist.  This is
clearly MUCH more pronounced in less well known/used blacklists[*].

Consider this, then, if _every_ mail system made use of open proxy
blacklists, and every mail system utilized a reasonably sane method of
back-notifying legit senders from these IPs of the blacklisting. [Hence,
for example, my posting of points for a BCP on filtering.]

Result?  Senders get their systems fixed ASAP, and things get delisted
in a timely fashion.  The FPs have been resolved.  Virtually no harm
done. The only ones left open are the ones not sending any legit email,
just spam.  Better accuracy.  Fewer spam sources.

I'd almost suggest that the ASRG propose a BCP that at least recommends
that MTAs reject email from promiscuous proxies. I can't think of a
faster way to get them all fixed and take a pretty substantial bite out
of our current spam loads.  At least it may prompt the developer of
AnalogX to _finally_ make the thing default to non-promiscuous - I've
tried, no joy.

[*] we run a combination of DNSBLs in addition to other filtering
techniques.  We also have a well developed procedure for being notified
of false positives and pushing fixes, retests and delistings.  When we
introduced these blacklists, we had an initial flurry of FPs as
small-time senders encountered a system using blacklists for the first
time. We forward the blocked email, queue the retests, and help the
sender get their problem fixed and delisted - if it's still open. One of
the most compelling results was that the highest FP ratio (FPs per IP
listed) was that of an open relay blacklist that only two systems on the
planet use (ours and the BL maintainer.  We're big.  The BL owner is
about 600 times larger.).  Its accuracy  is obviously directly dependent
on the number of MTAs that actually use it.

You know what?  At first, we routinely saw 5-10 FPs per day (repeat
after me: forward the email, send the sender boilerplate of why it was
blocked, queue the retests, help the sender get the problem fixed.  No
harm done).  We're now averaging about 2/day.  Soon, we'll be seeing a
few per week.  Each being handled the same way - no harm done.

Our users are paranoid about losing email.  Our company _relies_ on
email for business purposes.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg