ietf-asrg
[Top] [All Lists]

RE: [Asrg] 6. Proposals - RMX I Never send mail

2003-09-25 08:14:36
All,

        There seems to be an issue with current blacklist implementations.
The DNS server approach works fine functionally but the blacklist server
becomes a target for a DoS attack. While it is possible to run DNS
configurations hardened against DNS attack this costs a collosal amount. The
cost of the necessary bandwidth, hardware, support of doing it right is
huge.

        I would like to suggest therefore that we look for ways that we can
distribute certain information that is currently distributed via DNS
blacklists in a more distributed fashion. This will not be possible for all
information of course but is possible for certain subsets.

        In particular dial up modem pools, residential broadband links,
services that never send mail can be blacklisted through the rDNS. This has
a second advantage, the responsibility for maintenance is brought back to
the owner of the IP address. This would address current problems with large
IP address blocks being contaminated by prior spammer hijacking, listing by
an ISP etc.

        For example 18.2.1.xx might have a DNS record of one of the
following forms

                TXT             <ASRG><TYPE>DIALUP</TYPE></ASRG>
                POLICY  DIALUP

        Where POLICY would be a new record written for the purpose (usual
caveats apply). The usual caveats about using the DNS would also apply, risk
of spoofing etc. However I think that if those are really an issue we just
go fix DNS.

        I would see the following as useful identifiers:

                SERVER          A full service IP address
                DIALUP          The address is allocated to a dialup modem
pool
                RESIDENTIAL             The address is allocated to
residential broadband
                BLOCKED         The address is blocked, you should never
connect
                UNALLOCATED             The address has not been allocated

        It might be useful to make this a bit more complex so as to allow
specific protocols to be identified, but I think that is best done through
the forward DNS.

        This might be interpreted as breaking the end to end religion, but
people are already doing that of their own accord. I would rather have ISPs
open port 25 outgoing and label the connection honestly as residential than
have then block the port entirely to stop attacks from anti-spam vigilantes.

                Phill

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg