ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] What are the IPs that sends mail for a domain?

2009-06-20 17:33:17
from [Franck Martin] [Permanent Link] 

----- "Alessandro Vesely" <vesely(_at_)tana(_dot_)it> wrote:


Douglas Otis wrote:

SMTP is heavily abused, and soon IPv6 is about to become a

necessity.   

To remain practical, connectivity must be based upon _immediate_ and



_stable_ evidence of legitimate email operation, and not upon any

number 

of authorization transactions.  Each additional transaction to

support 

an authorization scheme will be multiplied by the typical number of



attempts made by abusive senders.   This means providers need to

exclude 

problematic users, and not become a task pushed toward recipients. 

Such 

pushing is not practical and often leads to unfortunate mistakes.


What do you mean by "problematic users"? Providers of residential 
cables, WiMAX, and similar connections could block or redirect port 
25, just like most universities and companies do. They used to do it,

as long as they provided mailboxes as a bonus and ISP and ESP were 
synonyms. Submission port 587 is not yet universally employed, and 
some customer may not accept to be unable to reach their favorite 
server's ports 25 or 465. "Blocking port 25 except for a set of 
servers used for submission" is not something that can be easily 
defined and maintained by ISPs, IMHO.



yes I'm not sure that blocking port 25 will ever be possible. I think less and 
less people want their mailbox tied up to an ISP, this is why they get a 
mailbox on yahoo, google, etc... So these services requires you usualy to 
connect via port 25 and authenticate, but that means for the ISP to let port 25 
open. Blocking port 25 and letting port smtps/465 open to allow users to still 
submit email is better, but just a temporaray measures until botnet use smtps 
to submit.

The only think I see in this system, is to identify IPs of mail servers via an 
out of band process. Like a record in the DNS. To avoid DDNS (the ability of 
the compromised machine to push a record in the DNS), it should be in the 
Reverse DNS or in a subdomain.

Now a receiving MTA would be able to use this filter, either the sending MTA 
authenticate (MUA) or the sending MTA is recorded as a MTA in the DNS. Now this 
cannot be enabled overnight, but a spamassassin filter could give a negative 
score if the sending MTA is DNS recorded.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] What are the IPs that sends mail for a domain?, Alessandro Vesely
Next by Date:  Re: [Asrg] What are the IPs that sends mail for a domain?, Steve Atkins
Previous by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Alessandro Vesely
Next by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Steve Atkins
Indexes:  [Date] [Thread] [Top] [All Lists]