ietf-asrg
[Top] [All Lists]

Re: [Asrg] seeking comments on new RMX article

2003-05-05 22:53:30
From: David Maxwell <david(_at_)crlf(_dot_)net>

...
Meaning they create hotmail and yahoo accounts, and send through them
until cut off?  ...

Assume Hotmail and Yahoo sign up for RMX.   Then they either continue to
let their users send from any IP address on the net, or they tell their
users the rules have changed and they must use only Hotmail and Yahoo
mail sending systems.  That will drive away many Hotmail and Yahoo users.


               That's a different problem - implement MTA rate-limiting
on a per-client/customer basis to address it.

I think practically all free providers already have rate-limiting, if
not explicit software then simply in the ackwardness of using their
systems to send lots of mail.  The problem is that most mail providers
are happy to let their customers use other ISPs to send mail, and many
users want to do that for various good and legitimate reasons.


...
a) Why is the DSL/Cable provider an open relay?

It's not that the DSL/Cable provider is an open relay, but that many
of the individual systems on the provider's network are proxies or
relays.  That is because individual users choose junk proxy software
that is open by default, and junk operating software that vulnerable
to trojan horses, viruses, and worms carrying open proxy software.
I agree that's bad and that fixing that would make dealing with spam
a lot easier, but we're talking about RMX.  Besides, I understand
RMX as intended to be at least partly a cure for open proxies.


b) Why don't the AOL/Hotmail/Yahoo MUAs deliver mail (via authenticated
connection) to the AOL/Hotmail/Yahoo mailserver?

Because some of their users don't want to and AOL/Hotmail/Yahoo are
unlikely to want to offend those users.


...
The concept of the ISP _authorizing_ mail to come from a server at a
certain address has a different meaning than just having a good PTR
record.

PTR RRs were not invented for authorizing TCP clients, but they were
used that way in the 1980's and early 1990's.  That the old application
was FTP instead of STMP is irrelevant.


...
I say that if even 20 networks use it, they will benefit. Then everyone
else (once aware) gets to decide whether the effort/benefit tradeoff is
worthwhile. 

Please explain how the users of 20 networks of a total of 64K (?) IP
addresses would benefit by using RMX when no one else does.  Only
about 0.002% of all mail would involve RMX bits.  People keep saying
there would be a benefit for the early adoptors, but I do not recall
seeing any explanation of how that works.  How does any spam get
filtered in that case?


...
If it is 10 years, will your ISP deploy this decade?  If 1,000,000
users get it in the next year, would it be worthwhile for you to check
RMX bits?  1,000,000 users are about 0.2% of the Internet, so only
0.2% of legitimate mail would have it.

For most ISPs, this will require what, 2 DNS entries?

I didn't mention anything about increases in zone file sizes.  How is
that relevant?  My point is that if only 0.2% of your incoming mail
has available RMX bits, then in practical terms you cannot filter
using RMX bits.


...
Could you whitelist your regular correspondents and cover most of
your incoming mail?  I bet you could, and immediately have better
protection than any scheme like RMX could have until it reached 80%.

Ahh - so rather than make an infrastructure improvement, every Internet
user should spend a half-hour a month updating their personal
whitelist... No thanks.

But you'd rather signup for RMX and wait at least years before filtering
even 1 message a week instead of spending half an hour/month and
immediately getting all that RMX could ever give you?

Note that whitelisting can be automated with some other simple
infrastructure improvments so that you would not need to spend more
than seconds/month.  Does it matter that those infrastructure changes
would not be the same as the RMX changes?


An advantage of RMX is that it is decentralized.
Yes, but what matters is how much spam it affects.

An entire class of spam would be eliminated. That class is currently a
large percentage of the spam I get. Given, a lot of it will migrate into
other forms, but there will be approaches for dealing with those forms.

People keep saying that, but never say how.  If you turned on RMX
filtering in your MTA (postfix?) tonight, how much spam would be eliminated
and how?  How much would be eliminated next week, month, or in 3 year?

...
Wouldn't be simpler to tell everyone to compare your sender domain name
with your reverse DNS?

Except that you're then overloading the meaning of reverse DNS.

Why is overloading bad?  That's what RMX is based on.

                                                                What
stops the type of spam I mention above - login, check reverse DNS for
the IP I've been allocated, and set it as my envelope.

That's already partly stopped with the DUL/PDL and port 25 filtering.

Besides, I don't recall seeing significant spam of that sort.


]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

] From: Mike Rubel <asrg(_at_)mikerubel(_dot_)org>

] ...
] If AOL, Yahoo, or Hotmail wanted to implement RMX, they would cease to allow
] third party sending; senders would have to send the mail through the
] official relays (which is the way it's normally done anyway).  If an
] organization doesn't want to forward through one of a limited number of
] outbound relays, it would not adopt RMX.

Is that really a requirement for using RMX?  If it is, then how can
other people say that AOL, Hotmail, and Yahoo might be interested in
adopting RMX and so driving away some of their current users?


] Right now, a lot of people are blocking all mail claiming to come from
] AOL, Yahoo, or Hotmail.  This is a big problem for those sites, and it's
] not their fault, since the spam that arrives "from" them is all forged.  

I believe a lot of spam purporting to be from AOL is forged, but I
find convincing evidence and logic that most spam supposedly from free
providers is not forged.  Someone at an unknown to me free provider
has checked a sample of addresses from my traps and found a significant
amount was probably *not* forged.  His numbers are significantly lower
than my guess of 90%, but they are significant and I think they are
not for the industry leaders in dropboxes.


] ...
] Not everyone has to be using RMX to make it useful.

How many people must use RMX to make it useful, and how long will it
take to get that many users?  This is not a rhetorical question, but
a genuine technical issue that must be addressed for any protocol or
application, not only spam defenses.  My guess is you need 80% of the
Internet or about 400,000,000 users so that 80% of your incoming mail
has RMX bits.  What is the correct value?


] ...
] Is your argument is that IDENT is useless against spam, therefore RMX is
] useless against spam?  They're completely different animals...

I think IDENT is in sendmail because it was supposed to be effective
against spam.  It was not, and I think one major reason is that it
never reached the critical threshold.

Besides, IDENT for mail seems very similar to RMX.  How would
checking IDENT values for incoming mail differ from checking RMX bits,
other than in trivial matters like using port 53 instead of 113?


] ...
] Exactly!  RMX records give mail systems a reason to shunt all of their
] mail through a few specific servers.  Think about the migration path--if
] we just start checking reverse DNS now, it usually won't work (because a
] lot of sites don't follow the convention).  By introducing a new resource
] record, you give sites a way to declare that they are now following that
] convention.
]
] So... have I sold you on RMX records yet?  :)

Never mind me.  Have you sold the bosses and stockholders of AOL,
Hotmail, Yahoo, or many other ISPs to drive away some of their current
users and install some more out-going mail servers so that a few years
from now, perhaps some spam will be stopped?


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg