Re: [Asrg] 6. Proposals: MTA MARK vs port 25 filtering?

Brett Watson wrote:
> A touchy issue, this. Should we consider it Best Current Practice to filter 
> outgoing port 25 on "residential" (or similarly classified) access points? 
> Should we consider it BCP to filter outgoing port 25 on pretty much all 
> access points unless other arrangements are explicitly made?
It is indeed a touchy issue. Since there's no consensus in the group, we 
should refrain from making recommendations until enough of us agree on 
something solid with a clear rationale.
> Our contributor named "Mark" has been harping on the "presumption of 
> innocence" principle, but it's precisely the viability of that principle 
> that's in question here. There is a certain quantity of spam which exists by 
> abusing the "presumption of innocence", so called. It's a badly 
> emotionally-laden term, since to advocate the converse is to advocate 
> "presumption of guilt", and you may as well advocate the strangulation of 
> small furry animals and children while you're about it. Rather than 
> "presumption of guilt", we should have "explicitly negotiated access". We 
> could recommend that port 25 be available (in some cases) only when 
> explicitly arranged, not on the basis of prior "guilt" or "innocence", but 
> purely to make accountability explicit.
"Explicitly negotiated access" sounds really nice in theory, but it doesn't 
work for anyone who is limited to using a mass-market ISP. Comcast, my 
provider, has no interest in talking to customers, they have an interest in 
getting as much money out of us as possible. This "explicitly negotiated 
access" would mean they tack on some absurd monthly fee for 'administrative 
costs'.
> Personally, I reject outright the idea that filtering access points on port 25 
> has a troublesome impact on mail connectivity for the do-it-yourself crowd, 
> myself included. If you don't trust your ISP to get it right with regards to 
> their mail server, it is now ridiculously cheap to get your own virtual 
> server hosted somewhere and continue to do it yourself without your mail 
> server hanging off your ISP's access point. Such virtual hosts require 
> expertise to configure, but have unfettered access. In my view, people who 
> are still harping on this point need to readjust to the new environment -- 
> keep up with the times. I have seen virtual servers available for US$15 per 
> month, which is a fraction of what I pay for my broadband access (in 
> Australia).
I don't trust my ISP to get it right with regard to their mail server. They 
have some large number of MTAs which make outbound connections, and 1 or 2 
of them are blacklisted. Because of stupid policies enforced by other 
providers (AOL), I already cannot connect out directly, so I am forced to 
forward my mail through smtp.comcast.net. This means I have a choice between 
not reaching certain ASRG members whose servers use RBL or not reaching 
friends and family on AOL. I'm not going to reconfigure a mailserver used by 
multiple people every time I want to send a message to AOL or ASRG.
About virtual hosts: I am a student. I am a minor. I do not have ready 
access to a credit card to pay for such service. Whatever I can't get for 
free online, I can't get at a "ridiculously cheap" cost. I happen to have 
broadband access, and I run a server of my own, for utility and education. 
If I were forcibly prevented from using it, I would not be happy, and I'm 
sure many others are in a situation similar to this.
> On the other hand, malware ("viruses", "worms", "trojans", etc.) which abuses 
> the openness of port 25 is rife. This is an attack vector that bears serious 
> consideration. Similarly, "presumption of innocence" falls down for any 
> dynamically allocated IP address, since there is no permanent identity 
> associated with the IP. If we work on the "presumption of innocence" 
> principle here, then the abusers get free reign for a short while, then 
> tarnish the reputation of all users equally. It simply doesn't work. One 
> possible suggestion for a BCP is to filter outgoing port 25 for all 
> dynamically allocated IPs.
The problem here is that there's no incentive for ISPs to cooperate. They 
will piss of those of us who care, and the people who are unable to spread 
digital contagion because of a block won't notice, except that they may have 
to pay more for ISPs to manage their new burden.
My point is, you're being equally idealistic in assuming that consumer, 
residential ISPs will actually serve their customers.
> Taking the converse view, one could question the effectiveness of port 25 
> filtering as a whole, relative to its intrusive nature. There is no escaping 
> the fact that port blocking is intrusive, and it causes problems of its own. 
> Does it provide a net improvement, or does it merely change the balance of 
> problems?
> Intrusive filtering is NOT the only option. We also have the option to place 
> information about the IP out of band, as per one of the various DNS options. 
> This does not change the argument about "presumption of innocence" versus 
> "explicitly negotiated access" -- it only changes the mechanism by which 
> filtering is taking place, and the party that elects to do the filtering. 
> Where information about the trustworthiness of an IP is placed in the DNS, 
> the mail recipient becomes the one to make decisions: a non-intrusive form of 
> filtering which can, even so, produce similar results.
> With careful semantics, we may even be able to produce a DNS-based solution 
> which allows do-it-yourselfers to continue to operate their own mail servers, 
> with limited scope for nuisance to others. An ISP could use in-addr.arpa PTR 
> records to indicate "residential" or "dynamic" status for IP addresses (with 
> the connotation that they are not well placed to prevent mail abuse from 
> those sources). A person operating their own domain could override this 
> rating by explicitly marking their own mail domain as operating from a given 
> IP through their own domain records. A recipient can then decide whether to 
> trust that sender's domain or not, based on his own assessment of risk.
> So, having rambled about it for a bit, I conclude that port filtering is a 
> tool worth considering in certain cases, and I dismiss the "presumption of 
> innocence" argument as being both emotionally overcharged and no longer 
> viable. Even so, it seems to me that the non-intrusive DNS-based options can 
> more closely achieve the goal of recipient-oriented decisionmaking, and are 
> less likely to cause unintended problems with connectivity generally. Let the 
> recipients make up their own minds about whether they trust a sender or not: 
> just give them information on which to base their decision.
OK, I agree with this conclusion. I don't think there's anyone in this group 
who'd argue with the last sentence of that. Unfortunately, we, as a group, 
seem to be getting hung up on certain issues which are preventing us from 
moving forward on various proposals that need to maintain their momentum.
The LMAP discussion document needs cohesive review and editing, preferably 
before we publish as and Internet Draft. IDs are nice for some things, but 
it's easier if we make all of the changes we feel necessary before first 
official publication.
I haven't looked the closely at MTA Mark, but I think these two proposals 
are complementary, and should be revised to reflect that. I'm not sure if it 
does, but MTA Mark should probably not recommend outright rejection of 
messages in the face of information stating that a given IP should not be 
sending mail.
I've said my peace,
Philip Miller


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg