ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] article: port 25 blocking

2005-04-12 18:14:32
from [Bill Cole] [Permanent Link] 
[ broken quoting repaired]

At 4:27 PM -0700 4/12/05, George Ou wrote:

-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org 
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On Behalf Of Bill
Cole
Sent: Tuesday, April 12, 2005 3:26 PM
To: asrg(_at_)ietf(_dot_)org
Subject: RE: [Asrg] article: port 25 blocking


SPF '-all' publishing and enforcement has not proven feasible for domains
of any significant scale and/or user diversity. Without all domains
publishing '-all' record along with a large fraction of receiving systems
being willing to enforce those records, SPF use cannot reduce the utility of
port 25 blocking.


From the way you make it sound, it sounds like we will NEVER have any kind
of domain level authentication and the "from:" address will remain on the
honor system.
Yes and no. There already IS domain-level authentication for those who want and need it and have taken the time to set it up with domains they want to maintain reliable authentication with.
Domain-level authentication that is really trustworthy and fully enforceable (i.e. both passing and failing are treated as definitively meaning something) with all domains is never going to happen. SPF has been a good demo of why it can't work. I say that as someone who was enthusiastic and evangelistic 5 years ago about the core concept that evolved into SPF. I was wrong. SPF and its kin are not completely worthless, but they won't ever be a full solution to spam.
Yahoo's DomainKeys stands a chance of being useful domain authentication that is not onerous to set up and has different (and less ugly) break points than SPF, but it also is not going to ever be truly global and enforceable. Even if it were, domain authentication is not the same thing as authorization, and it is already common for spammers to use 'throwaway' domains in enough volume that they've made blacklisting by authoritative nameserver a usable tactic. 


Since it appears that there is no consensus for any one's
solution be it SPF enforcement or port 25 blocking, you might be right about
that so the future remains bleak.
Not at all. The present is reasonably good and the future is fairly bright. The exceptions to that are for people who want a single magic bullet for spam control, and particularly for people who want that magic bullet to be their own patented idea. It is possible right now to achieve 95% spam rejection before DATA in SMTP and 99% rejection overall, with less than 0.01% false positives. The constraints in which that can be done are not economically feasible for large ISP's and might not even be possible for their sorts of very large and very diverse mail domains.
Looking at the problem as one addressed by SPF *or* port 25 blocking *or* some other approach is a hopeless approach. SPF and port 25 blocking both can help solve certain problems related to spam, but neither is anywhere near a full solution. There is a huge set of tactics and tools out there right now that can be applied carefully, selectively, and *jointly* in different situations to achieve very good results. The 'spam problem' is not that no one knows how to avoid spam, but rather that too few people are willing to devote the needed resources to avoiding it and making sure they don't contribute to it. SPF helps on one side by letting some domains publish hints of mixed value as to the validity of mail claiming to be them. Port 25 blocking of dynamically assigned address space aids on another front by reducing the population of useful spam zombies. 



Beyond that, any proposal that requires everyone to make changes on the
same schedule or else the first movers will break their systems badly, is
simply never going to happen at all on any schedule. SPF as the FUSSP
requires behavior that is self-harming unless everyone else does it at the
same time.


If we could get the top 50 domains to start "punishing" non-SPF compliant
with delays and a gradual migration to a hard fail in unison, would that not
prompt other domains to become SPF compliant?
Yes, and if we could get pigs to grow wings and wear saddles, we could have leaner pork, less traffic congestion, and a lot of free fertilizer from the sky for everyone.
Even global adoption of SPF with hard failure does not solve the problem addressed by port 25 blocking. The trick of setting up perfectly valid domains with records that seem to say that abused zombie machines on dynamically assigned addresses are perfectly valid mail servers for that domain is about 2 years old. A zombie can easily have a valid SPF record for the domain it sends as. 






--
Bill Cole
bill(_at_)scconsult(_dot_)com


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] article: port 25 blocking, Seth Breidbart
Next by Date:  Re: [Asrg] article: port 25 blocking, Seth Breidbart
Previous by Thread:  [Asrg] Re: article: port 25 blocking, Frank Ellermann
Next by Thread:  RE: [Asrg] article: port 25 blocking, George Ou
Indexes:  [Date] [Thread] [Top] [All Lists]