Douglas Otis wrote:
On Feb 12, 2007, at 9:16 AM, Matt Sergeant wrote:
On 9-Feb-07, at 9:03 PM, Douglas Otis wrote:
A period that represents typical IP ownership is not likely 6
months. Many of these systems are compromised and can be retasked
to send spam once the IP address drops off a popular block list.
How is 6 months reasonable for a long listing? Why not state a
goal rather than setting some arbitrary period not based upon any
information or rationale.
The goal is stated. If it needs to be clarified we should do that.
DNSBL operators should mimic Spamhaus policies? Don't suggest there
is some magic period.
Our belief: There needs to be a sensible maximum time of listing
should the entry no longer meet the listing criteria.
We think 6 months is a sensible maximum. This BCP is in NO WAY
suggesting that an IP/range shouldn't ever be listed for longer than 6
months, but that if your listing criteria is no longer met then the
entry should time out after a maximum of 6 months.
6 months is not a sensible maximum in may cases. If an interval must
be mentioned, why not say a year or less. A year is likely to be a
typical interval for service purchases. Most spam sources are
compromised systems. Increasing the block cycle rate will just increase
the number of times a compromised system can spew spam before being once
again blocked. When the owner of the IP address actually wants to send
valid email, they can make a request to expedite a removal process in
most cases. What makes 6 months sound reasonable????
We have to remember that DNSBLs have very widely varying expiration
intervals, based upon how they list and in some cases sheer size.
SpamCop's initial expiration is a day or two. But some DNSBLs are forever.
I believe that listings, absent "later redetection of malicious
behaviour", should have a timeout. For a SBL-ish list, 6 months of "no
repeat behaviour" is a reasonable max. For a "straight compromise"
DNSBL (like CBL, ORDB etc) it hardly makes sense to hold entries so
long, especially when so much of it is dynamic, or at least, not nearly
as long lived as a stationary MTA.
But aside from things like geo-based DNSBLs, I think all DNSBLs should
have some sort of timeout (again, absent repeat detections). Otherwise,
we litter IPv4 with IP space that's difficult to use. I pity the poor
people who have to reuse AGIS space...
I don't think we want to litter the BCP with stuff like that. I'd like
to avoid it. But I think saying that a reasonable timeout is a good
idea. Matt's altered wording is better I think.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg