Re: [Asrg] 6. Proposals: MTA MARK vs port 25 filtering?
2003-12-13 23:34:51
Brett Watson wrote:
A touchy issue, this. Should we consider it Best Current Practice to filter
outgoing port 25 on "residential" (or similarly classified) access points?
Should we consider it BCP to filter outgoing port 25 on pretty much all
access points unless other arrangements are explicitly made?
It is indeed a touchy issue. Since there's no consensus in the group, we
should refrain from making recommendations until enough of us agree on
something solid with a clear rationale.
Our contributor named "Mark" has been harping on the "presumption of
innocence" principle, but it's precisely the viability of that principle
that's in question here. There is a certain quantity of spam which exists by
abusing the "presumption of innocence", so called. It's a badly
emotionally-laden term, since to advocate the converse is to advocate
"presumption of guilt", and you may as well advocate the strangulation of
small furry animals and children while you're about it. Rather than
"presumption of guilt", we should have "explicitly negotiated access". We
could recommend that port 25 be available (in some cases) only when
explicitly arranged, not on the basis of prior "guilt" or "innocence", but
purely to make accountability explicit.
"Explicitly negotiated access" sounds really nice in theory, but it doesn't
work for anyone who is limited to using a mass-market ISP. Comcast, my
provider, has no interest in talking to customers, they have an interest in
getting as much money out of us as possible. This "explicitly negotiated
access" would mean they tack on some absurd monthly fee for 'administrative
costs'.
Personally, I reject outright the idea that filtering access points on port 25
has a troublesome impact on mail connectivity for the do-it-yourself crowd,
myself included. If you don't trust your ISP to get it right with regards to
their mail server, it is now ridiculously cheap to get your own virtual
server hosted somewhere and continue to do it yourself without your mail
server hanging off your ISP's access point. Such virtual hosts require
expertise to configure, but have unfettered access. In my view, people who
are still harping on this point need to readjust to the new environment --
keep up with the times. I have seen virtual servers available for US$15 per
month, which is a fraction of what I pay for my broadband access (in
Australia).
I don't trust my ISP to get it right with regard to their mail server. They
have some large number of MTAs which make outbound connections, and 1 or 2
of them are blacklisted. Because of stupid policies enforced by other
providers (AOL), I already cannot connect out directly, so I am forced to
forward my mail through smtp.comcast.net. This means I have a choice between
not reaching certain ASRG members whose servers use RBL or not reaching
friends and family on AOL. I'm not going to reconfigure a mailserver used by
multiple people every time I want to send a message to AOL or ASRG.
About virtual hosts: I am a student. I am a minor. I do not have ready
access to a credit card to pay for such service. Whatever I can't get for
free online, I can't get at a "ridiculously cheap" cost. I happen to have
broadband access, and I run a server of my own, for utility and education.
If I were forcibly prevented from using it, I would not be happy, and I'm
sure many others are in a situation similar to this.
On the other hand, malware ("viruses", "worms", "trojans", etc.) which abuses
the openness of port 25 is rife. This is an attack vector that bears serious
consideration. Similarly, "presumption of innocence" falls down for any
dynamically allocated IP address, since there is no permanent identity
associated with the IP. If we work on the "presumption of innocence"
principle here, then the abusers get free reign for a short while, then
tarnish the reputation of all users equally. It simply doesn't work. One
possible suggestion for a BCP is to filter outgoing port 25 for all
dynamically allocated IPs.
The problem here is that there's no incentive for ISPs to cooperate. They
will piss of those of us who care, and the people who are unable to spread
digital contagion because of a block won't notice, except that they may have
to pay more for ISPs to manage their new burden.
My point is, you're being equally idealistic in assuming that consumer,
residential ISPs will actually serve their customers.
Taking the converse view, one could question the effectiveness of port 25
filtering as a whole, relative to its intrusive nature. There is no escaping
the fact that port blocking is intrusive, and it causes problems of its own.
Does it provide a net improvement, or does it merely change the balance of
problems?
Intrusive filtering is NOT the only option. We also have the option to place
information about the IP out of band, as per one of the various DNS options.
This does not change the argument about "presumption of innocence" versus
"explicitly negotiated access" -- it only changes the mechanism by which
filtering is taking place, and the party that elects to do the filtering.
Where information about the trustworthiness of an IP is placed in the DNS,
the mail recipient becomes the one to make decisions: a non-intrusive form of
filtering which can, even so, produce similar results.
With careful semantics, we may even be able to produce a DNS-based solution
which allows do-it-yourselfers to continue to operate their own mail servers,
with limited scope for nuisance to others. An ISP could use in-addr.arpa PTR
records to indicate "residential" or "dynamic" status for IP addresses (with
the connotation that they are not well placed to prevent mail abuse from
those sources). A person operating their own domain could override this
rating by explicitly marking their own mail domain as operating from a given
IP through their own domain records. A recipient can then decide whether to
trust that sender's domain or not, based on his own assessment of risk.
So, having rambled about it for a bit, I conclude that port filtering is a
tool worth considering in certain cases, and I dismiss the "presumption of
innocence" argument as being both emotionally overcharged and no longer
viable. Even so, it seems to me that the non-intrusive DNS-based options can
more closely achieve the goal of recipient-oriented decisionmaking, and are
less likely to cause unintended problems with connectivity generally. Let the
recipients make up their own minds about whether they trust a sender or not:
just give them information on which to base their decision.
OK, I agree with this conclusion. I don't think there's anyone in this group
who'd argue with the last sentence of that. Unfortunately, we, as a group,
seem to be getting hung up on certain issues which are preventing us from
moving forward on various proposals that need to maintain their momentum.
The LMAP discussion document needs cohesive review and editing, preferably
before we publish as and Internet Draft. IDs are nice for some things, but
it's easier if we make all of the changes we feel necessary before first
official publication.
I haven't looked the closely at MTA Mark, but I think these two proposals
are complementary, and should be revised to reflect that. I'm not sure if it
does, but MTA Mark should probably not recommend outright rejection of
messages in the face of information stating that a given IP should not be
sending mail.
I've said my peace,
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|