From: Chuq Von Rospach <chuqui(_at_)plaidworks(_dot_)com>
...
Which leads to assuming all of those sites fall into one of three
categories:
1) they want to be open relays.
2) they don't care.
3) they don't know any better.
4) they ain't home. the admin who set things up isn't there any more,
and neither is
anyone else.
There's a fifth category, or perhaps a flavor of the last 3:
- the system is well maintained and might need to do some authorized
relaying, perhaps because it is a "smart host," in a DMZ, or is an
MX secondary,, but is sufficiently misconfigured that it in relays
one of the ~18 problem cases.
Whether it relays in some unauthorized cases is not obvious to its
owners, because the open door might do some good and does no harm
until and unless it is discovered by spammers and not much harm even
then.
(Yes, I've seen systems clobbered by loads of relay spam, but that
was long ago when ratios of computer/network speed were 10 or more
times smaller than they are now.)
(Yes, I've heard of RSS, ORBS, ORDB, and others. They've been listing
10**5 open relays forever with no significant change. Like most DNS
blacklists, their bark (supposed popularity according to some) is far
larger than their bite (true popularity or amount of mail they bounce.)
I figure that at least 1% of all SMTP server installations or upgrades
will always suffer this sort of problem. Since there are far more
10**7 SMTP servers, they need to be updated or replaced and so
(re)configured at least annually, there will always be more than 10*5
open relays.
Similar but about 100 times more discouraging quantitative reasoning
applies to open proxies.
...
This seems to lead back to solutions that can be implemented at the
receiving end, either server-based or client-based. Any solution that
requires "they" cooperate has to answer how we plan to find out who
"they" are, and then get "them" to go along with it.
...
I may have lost count, but I think all of the solutions that have been
proposed and defended at length in this mailing list have assumed
"they" or everyone will do something starting with installing new
software and then spam will stop. That is certainly true of
challenge/response, authentication and/or encryption, no-bounce,
message pull, honeypots, and sender-pays systems.
Notice that the "bounces should be outlawed" and "relays are not
needed" positions could be but are never implemented at the mail
receivers of their advocates. No great effort is needed to reject
bounces (e.g. from Mailer-Demon) or mail that has been relayed (many
Received lines) when it is seen by an MUA or MTA.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg