This represents an improvement over the prior draft. However there
are recommendations that will not endure evolving bad-actor
strategies, and opinions expressed about block-list automation that is
wholly wrong for the same reason, evolving bad-actor strategies.
It is understandable for a draft to speak to a constituency of
supporters. In this case, the supportive audience appears to include
bulk senders and ISPs. After all, these two groups are dramatically
affected by the operation of block-lists intent at mitigating abusive
behavior. Unfortunately, a few recommendations being made in this
draft can not be characterized as a best practice.
Most predominately:
,---
| 2.2.3. Removals SHOULD Be Prompt
|
| ...
|
| A DNSBL MAY impose restrictions on who (e.g. network operator's
| representative or domain name owner) may make valid removal requests.
| However, in many DNSBLs this is inadvisable because it requires
| impractical amounts of effort and is hence NOT RECOMMENDED in most
| cases.
'___
Limiting interaction to owners of an address space or domain limits
with whom the DNSBL operator interacts. In this perspective, such a
requirement reduces the efforts required of a responsible DNSBL
operator. Since few if any DNSLB operators can observe more than a
small percentage of the traffic showing signs of abuse, the role
automation might play is extremely limited. Such automation should be
seen as a short-term strategy in response to the proliferation of spam
sent with the aid of bot-nets. Unfortunately, a growing percentage of
bad-actors utilizing bot-net services also take advantage of millions
of 0wned systems to rapidly discover which email destinations are
monitored.
Even when a large number of new destinations on divergent networks are
added, more than 30% of today's bad-actors now able to quickly avoid
these new destinations due to automated listing and delisting
practices. As a result, automated listing and delisting now leads to
spam trap blindness. Something that causes blindness can hardly be
characterized a best practice. Without supporting evidence, bad-
actors are then free to continue spamming. Only the ISP or domain
owner are able to fully monitor the situation and ensure the detected
abuse stops. Direct interaction with end-users by DNSBL operators is
seldom productive, and automation is ultimately not practical at
achieving their desired goals.
Remove the sentence:
: However, in many DNSBLs this is inadvisable because it requires
: impractical amounts of effort and is hence NOT RECOMMENDED in most
: cases.
and the subsequent paragraphs--
: Many DNSBLs can effectively use a "no questions asked" removal policy
: because by their very nature they will redetect or relist problems
: almost immediately. They can mitigate more organized attempts to
: "game" the system by elementary checking and rate-limiting
: procedures, increasing lockout periods, rescans etc. Furthermore, a
: few IP addresses more or less usually do not make a significant
: difference in the overall effectiveness of a DNSBL. Moreover, a "no
: questions asked" removal policy provides the huge benefit of a swift
: reaction to incorrect listings.
:
: As an example, one popular DNSBL uses a "no questions asked" removal
: policy, but does perform rate-limiting and malicious removal
: detection and mitigation.
:
: Another important consideration supporting a "no questions asked"
: self-removal policy is that it forestalls many conflicts between
: DNSBL operators and organizations whose IP/domain addresses have been
: listed. Such a policy may be an effective measure to prevent small
: issues from becoming big problems.
Section 2.2.1 also attempts to sell the flawed concept of listing
automation:
2.2.1. Listings SHOULD Be Temporary
...
Remove item 3 since automation of block-listing is increasing
defeated. Shortly this strategy will need to be abandoned.
:3. Automated DNSBLs with highly effective detection and fast listing
: mechanisms can benefit from very short expiration intervals.
: Many of the things that these DNSBLs look for are of relatively
: short duration, and even if they do expire, a resumption of the
: behaviour will be caught quickly by the DNSBL's detection
: mechanisms and relisted. By utilizing a short expiration
: interval, after reassignment/problem correction, the listing will
: automatically expire in short order without manual intervention.
We are currently revising the role automation plays in our offerings.
Even content filtering is becoming less effective. Perhaps within a
few short years, traditional prophylactic mechanisms will become
dramatically less effective. If anything, reliance upon automation
and content filtering serves to better educate bad actors, and
ultimately make the Internet more dangerous. Although this is not
something ISPs and bulk senders want to hear, only network providers
are able to properly deal with the growing and increasingly dangerous
problem. The bad-actors managing bot-nets of hundreds of millions of
0wned systems no longer represent a cottage community of individuals
or sales staff with somewhat questionable ethics.
This draft is painting a distorted picture that may have been valid a
decade ago, but no longer represents what might be a best practice
moving forward. Taking out sections that represent Feel-Good rhetoric
about automation. Striking this failing strategy would greatly
increase the contribution this draft might make in finding better
solutions moving forward.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg