On Mar 29, 2006, at 4:33 AM, Daniel Feenberg wrote:
Lastly, the draft refers to no quantitative evidence that DNSBLs
are more likely to reject valid mail than content scanners. This is
not my experience with Google Mail, or Spamassassin. Perhaps other
scanners would be more effective, but by the same token, there is
variation among DNSBLs too
From experiences with both block-listing and content filtering,
there is another important aspect with respect to block-lists.
Without block-lists, many email systems or associated networks will
not handle all transactions, making block-list protection essential.
Harmful and essential can not be reconciled. Valid emails represent
a small portion of email transactions, where block-lists protects
both the mail-box and importantly, network resources. Done after
exchanging the message, filtering unblocked sources would be done
where a small percentage of their transactions may be comprised of
malware or spam. As many providers block abusive traffic at the
network (another form of block-list or black-hole list), tests must
first ensure no other protective mechanism is active. Block-lists
are simply essential to retain the utility of email. Message
authentication will not supplant the block-list network resource
protections.
Many of the issues related to block-lists involve the blunt
application at the IP address. Adopting a convention of ensuring
verification of the EHLO, it would then be possible to utilize domain-
name based block-lists. Such a strategy would reveal tell-tale
associations with domain name servers. The hierarchy of the
supporting infrastructure is more constraining than IP addresses with
an expectation of longer histories of good administration. CSV or A
records would be a good choice for EHLO verification, whereas SPF
invites dangerous network amplification.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg