My ISP allows customers to configure their own smtp-stage filters. At
first, I figured that DNSbls were the FUSSP. However, there was a lot
of spam leakage through my filters. DNSbls are part of the solution,
but not the entire solution. Additional options have appeared in the
filter rules. The two most effective ones are blocking of email from
sites with...
- no/none/zip/zilch/nada rDNS (host/nslookup returns NXDOMAIN)
- regexp filtering for dynamic-IP-like rDNS, ie...
[0-9]+-[0-9]+-[0-9]+
\.dial
dhcp
As a single user, my sample size is quite small. Up to May 12th, my
rules had blocked a grand total of 263 email attempts so far this month.
Lack of hostname accounted for 113, and dynamic-IP-like rDNS stopped 64.
That's just over 2/3rd of all blocking.
Residential dynamic IP addresses are growing at an explosive rate.
DNSbls have a hard time keeping up with them. Spam zombies are cranking
out direct-to-MX email in record numbers. This is currently a very
large part of the unwanted promotional/soliciting email problem, aka
spam. Blocking this avenue for spammers isn't the FUSSP, but it will
make a major dent in the current problem.
Therefore, I propose that ISPs assign all dynamic IP addresses an rDNS
that includes a recognizable identifying substring such as "dynamic".
There may be adverse side-effects I'm not aware of with total lack of
rDNS. If not, null rDNS would be just as good.
Advantages...
- no structural changes required to DNS or SMTP, just doing things
slightly differently. That's why I'm presenting the idea as a BCP
proposal rather than in another area.
- because this proposal merely calls for changes in the practices with
the current DNS system, there is no need for a new registration or
certification beauracracy
- no load on outbound routers/gateways, unlike outbound port-25
blocking
- it would also work against assymetric routing attacks which outbound
port-25 blocking is useless against. To achieve the same protection
an ISP would have to block port 25 *IN AND OUTBOUND* to/from
residential dynamic IP addresses. The technical requirements, and
costs of two-way blocking can be significant
- the receiving ISP can decide whether or not to block inbound email
from such addresses
- unlike RMX/SPF, this can be implemented by one ISP and its outbound
email would be checkable immediately. There are already a lot of
email servers that can check rDNS addresses of incoming email. AOL
already does this by labeling their dynamic IP addresses with an rDNS
that includes the string "ipt.aol.com".
- valid email "From:" personal domains will not be blocked when sent
via the ISP's MTA, which might be an issue under some implementations
of RMX/SPF
- unlike ordinary DNSbls, DOS-attacks can't shut down this system,
short of taking down DNS entirely. In that case, email is shut down
too, because sending systems can't resolve MX IP addresses.
- ordinary DNSbls of dynamic IP addresses have problems keeping up
with the growth of new blocks of IP addresses. My proposal would
simply "just work".
Comments, etc ?
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg