ietf-asrg
[Top] [All Lists]

Re: [Asrg] What are the IPs that sends mail for a domain?

2009-06-23 13:40:17
Steve Atkins wrote:
We use IP address reputation services because there's nothing else we can use [...]

I don't think so.  Domains and addresses are nearly-free and disposable,
so spammers could easily render both pointless exercises whenever it
suited them to do so.  Given that registrars are quite happy to continue
selling dirt-cheap domains by the thousands to even the worst spammers
(and registrars ARE spammers) it will always be possible for abusers to
come up with another domain and another email address -- or another ten
thousand of each -- whenever it suits them.   Network space is not quite
so easy to come by, so I think we stand a better chance keeping track of
allocations.

Maintaining reputation records based on domain is much easier than doing single email addresses, especially if one knows what egress anti-spam practices they deploy, and what's their policy for creating new accounts. In this case, mandating SUBMIT a la SPF shouldn't affect a domain's reputation; however, only messages that are relayed that way can be whitelisted on the basis that they come from a whitelisted domain.

The critical point here is that while it's easy to cycle through domains,
only those who are doing Bad Stuff will do so.

If you're sending wanted email then the reputation associated with any reputation key (including domains) will increase, and quality of delivery will continue to improve.

A domain changing ISP or location will most likely get new IP addresses. This noise is absent when tracking reputation by domain name.

If you're sending unwanted email then the associated reputation will decrease and delivery rates will drop. Because of that, people sending bad email will cycle through reputation identifiers rapidly, meaning that their reputation is never better than that of a brand new identifier, but not usually much worse.

If whitelists by domain were the rule, newcomers would seek the endorsement of their business associations, reputable friends, and possibly even employees. They will introduce themselves, and avoid whois privacy concealments. Investing in such sort of vernissage for new IP addresses makes little sense.

That makes reputation of this sort (whether it be IP based, authenticated domain based or anything else where it's easy to create a new reputation key, but hard to steal someone elses) is extremely useful for identifying mail that's likely to be wanted, and not really great for identifying mail that's likely to be unwanted. It's not something that's useful on it's own, but it's incredibly useful when used in conjunction with other approaches.

It's only natural to think that mail that's likely to be wanted shall take priority, as it does not require Bayesian content filtering, waiting for hashes from honeypots, and similar mumbo jumbos. Then, if whitelisted domains become widespread, we can peacefully harden the rules for filtering the rest.

The point is, if it is easier and convenient, why isn't it plenty of RHSWLs out there?

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>