Re: [Asrg] A method to eliminate spam

Ronald F. Guilmette wrote:
> In message <3E78C984(_dot_)1020505(_at_)americasm01(_dot_)nt(_dot_)com>, 
> "Chris Lewis" <clewis(_at_)nortelnetworks(_dot_)com> wrote:
> And the winner is.... <<drum roll>...
> :-)
I was expecting you to chime in :-)

> > [*] I have an issue with MONKEYSPROXY because the criteria for removal 
> > isn't "just fix the open socks or proxy and ask for retest" - because 
> > asking for the retest has other extraneous requirements.
> The UPL re-testing/de-listing requirements are detailed here:
>      http://www.monkeys.com/upl/delisting-policy.html
> They are reasonably trivial to satisfy... unless you are a complete
> dumbshit and/or unless your ISP is totally worthless and totally
> unresponsive, even to YOUR requests for assistance.
I'm half expecting/dreading this to turn into a long protracted 
discussion.  Ron and I have had this conversation before, and I don't 
expect my comments here will change his mind.  So, I'm going to say my 
piece as it pertains to general principles of spam control and then shut 
up on this subject.
In my view, the criteria for "delisting" an IP in a blacklist should be 
the exact reverse of the criteria for "listing".  This is true in most 
blacklists.  Not true for Monkeys -  it's saving grace _so_far_ is 
simply that it _is_ very effective (partially due to us, as you'll 
recall, Ron).  But this will degrade over time given your delisting 
criteria.
I agree with your remark about ISPs.  But, that's not the point.  The 
goal of any anti-spam "technique" is to stop spam, not to to attempt to 
enforce "best practises" which are unrelated to the technique, and are 
at best only indirectly addressing spam.  As such, a list where being 
listed means "you're an open proxy", being delisted should mean "you're 
no longer an open proxy", not "you're no longer an open proxy, and your 
provider isn't an idiot".
For our purposes in handling false positives, I need to be able to tell 
the person who hit the block that "I've triggered a retest" subject only 
to issues surrounding, say, OSIRUS's or ORDB's retesting mechanism 
glitching and missing a request, not "I tried to, pray your ISP pays 
attention, your WHOIS entry is sane, etc".
The UPL isn't strictly a "open proxy/socks" list, it's more of a awkward 
combination of "open proxy/socks" plus "RFCIgnorant".  Those who want to 
use it need to be aware of that fact.
When we hit a MONKEYS block we provide the end-user with the appropriate 
link for the sender progressing through your delisting criteria, but I'd 
expect the majority of users not be able to complete it successfully.
As I said, it's not a problem in practise yet, because we automatically 
whitelist hits in "security lists" (open relay, proxy, socks) unless we 
have reason to believe that the IP in question is actively spewing spam 
_now_.
However, as the UPL gets older (it's only a few months old), and more 
and more entries become out-of-date because of the delisting 
requirements, we may have to rethink all of our interactions with it.
> Hummmm.... <<pulls out slide rule>>... So only about 1/90th of your
> whitelist requests arise due to your use of the UPL, but the UPL is
> stopping half, or more than half of your incoming spam.
As I mentioned, I expect this to degrade over time.  BOPM by itself is 
almost as effective as Monkeys, and it doesn't have this problem - it 
can't degrade into a list of "stupid providers" instead of "open 
proxies/socks".
As for BOPM - only two "false positive" reports over a period several 
months longer than we've been using Monkeys.
They were really open at the time and spewing spam. We got the sites 
fixed and delisted.
In other words, we've not seen a FP due to BOPM's entries being stale 
yet.  At least half of those with the UPL were stale and no longer valid.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg