At 11:37 PM -0700 4/11/05, George Ou wrote:
Blocking port 25 harms a lot of legitimate uses. Why not do the following
to deal with the issue as a whole.
* Start banning all non-SPF compliant domains within a certain deadline
which would effectively make port 25 blocking moot.
SPF '-all' publishing and enforcement has not proven feasible for
domains of any significant scale and/or user diversity. Without all
domains publishing '-all' record along with a large fraction of
receiving systems being willing to enforce those records, SPF use
cannot reduce the utility of port 25 blocking.
Beyond that, any proposal that requires everyone to make changes on
the same schedule or else the first movers will break their systems
badly, is simply never going to happen at all on any schedule. SPF as
the FUSSP requires behavior that is self-harming unless everyone else
does it at the same time.
* Then we deal with the problem of ISPs who don't implement SMTP AUTH and
who won't implement some reasonable rate limiting schemes.
Who is 'we' and how do you propose 'we' deal with such ISP's? Most of
the larger ISP's for years have been making business decisions fior
a decade in support of continuing the growth of spam and the spread
of the malware used to send most modern spam, and there has been no
'we' willing and able to 'deal' with them in any serious and
consistent way for all of that time.
* Then start requiring some sort of official registration or bonding of
domains who bulk send (based on Distributed Checksum Clearinghouse
measurements) so that we can either easily track you down for prosecution or
we confiscate the bond for any kind of abuses from an SPF abusive domain.
The owners of the mail systems I work with are not going to pursue
anyone's certification and are unlikely to trust any certification
that anyone issues. Even those which send some bulk mail and those
who are inundated by it have seen no value in certification systems
like Habeas or Ironport's Bonded Sender. Such systems have proven in
the marketplace to be of very limited interest and utility.
These steps would seem to me a lot more effective and cause a lot less
collateral damage.
You've got a very odd idea of what constitutes 'collateral damage' if
you believe that requiring that all domain owners make mandatory
changes, establishing a new enforcement authority, and creating a new
certifying authority to bless domains constitutes less damage than
inconveniencing a single-digit percentage of individual end users.
As the owner of a few small personal domains and someone
who uses outbound 25 for legitimate SMTP relay, I'd much rather you force me
to put in a few SPF records than blocking my outbound port 25 access.
I see. Those steps seem less damaging to you because they cause less
damage to you.
Have you looked at how port 25 blocking is actually being done by
even the minimally competent ISP's? SBC is an example of one such. 8
months ago they had a press release and sent mail to all customers
about the coming rollout of port 25 blocking. With that they included
a way to preemptively request exemption and they made clear that
customers with static address accounts would be excluded by default.
To my profound shock, SBC has actually managed to execute that
rollout with reasonable speed and accuracy. There may well be some
ISP's who are implementing port 25 blocking without exempting users
with static IP assignments, but I believe they would be the minority.
SBC's willingness to provide exceptions for anyone who asks may be
unusual, but it is not unique.
Note that I DO NOT argue that port 25 blocking is a panacea. It is a
generally negative thing, but as long as ISP's insist on offering
services in ways that encourage customers to view their own computers
and network connection as an appliance requiring no more thought than
a toaster or a telephone, the customers of that sort of service
should be surrounded by significant impediments to their
exploitation, which intrinsically includes impediments to their
misuse of the network at large where people who are competent to
handle an unfettered link operate. It is unfortunate that no useful
consensus is possible on what constitutes 'competent' in this
context, so the evolving proxy for competence is willingness and
ability to find and pay for an account that is not restricted.
We're
essentially talking about the same thing here only from different sides of
the problem. Do we create an ACL (Access Control List) that denies all
non-SMTP servers of the world or do we create an ACL that permits all
legitimate SMTP servers of the world? It would seem to me that the latter
is a much smaller database and much easier to implement than the former.
Yes, and because the two yield logically identical results, either
ends up as a default assumption of invalidity and some system where
the legitimate systems are blessed. This is how port 25 blocking is
done: network owners who are the best authorities on the nature of
their address space and its use decide where to allow port 25
traffic. If they decide to only service people who have no desire for
full service, they can do so. If they decide to charge a little more
for full service, they can do that. If they decide that full service
is available to anyone who knows that they want it, that is also
feasible.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg