ietf-mta-filters
[Top] [All Lists]

Re: comments on refuse

2005-08-06 15:11:16

I'd like to solve the spam problem (see www.rhyolite.com/anti-spam/you-might-be.html ) but we're just proposing a small improvement to SIEVE, that will help in a small but significant way reduce resource usage, but doesn't require changes that break existing Sieve or SMTP implementations. That implies some serious constraints! 'Refuse' only claims to be _less_ likely to result in backscatter to an innocent victim. It is not 'discard', or CSV (the 'best' spam remedy, IMO - see http://wiki.fastmail.fm/index.php/Certified_Server_Validation), or BATV.

On 8/5/05 11:19 AM, Michael Haardt sent forth electrons to convey:
On Thu, Aug 04, 2005 at 05:45:04AM -0700, Philip Guenther wrote:
draft-ietf-sieve-refuse-reject-00 justifies the 'refuse' extension
based on a claimed ability to reduce the amount and/or likelihood
of joe-job spam.  By my reading, there is only a reduction in amount
by replacing one or more MDNs (one per recipient using 'reject')
with one DSN and no reduction in likelihood.
This is not consistent with what you say later; I think you've misunderstood the spec. 'Refuse' will replace one notification with another in a small fraction (my estimate: 10% of the time(a few % due to the exception in section 3, a few % due to 5xx errors to unidentified or unblocked relays, etc.) ; certainly << 100%) of the time it acts. My estimate implies a 90% reduction in backscatter for those replacing reject with refuse.
  While a message that
is refused by all recipients can indeed be refused at the SMTP-level
at the final dot, a DSN will still be generated unless the message
was received directly from the submitting software by the SMTP-based
sieve implementation.
I find that this exception is actually a common case, accounting for >> 17% of mail delivery attempts. And in this case, neither an MDN nor a DSN is generated. (The research paper at http://www.ceas.cc/papers-2005/120.pdf confirms that some 17% of mail delivery attempts these days are made from SMTP malware that can't even retry, and hence almost certainly can't create DSNs either)
That doesn't apply when open relays ("open
proxies" in the draft) are involved
Let me know if I need to explain the difference between open relay and open proxy and how each is used by spammers to send spam.

I believe that most mail servers on the Internet do not accept mail from identifiable open relays and open proxies at all, and for them 'refuse' has no impact on backscatter.

Supporting argument: Most such systems are on blacklists such as [http|socks|smtp|web].dnsbl.sorbs.net (see http://www.us.sorbs.net/using.shtml for definitions; MAPS and others have similar lists among their offerings). In particular they are on the blacklists that a consensus of reports state have the lowest risk of being used to block non-spam (that is, even lower risk than the SBL blacklist, which protects half a billion mailboxes) and hence are the most widely used. When such blacklists are used, mail is often blocked before sieve even sees the message. Blocking could occur at EHLO or earlier, such as at a border firewall.
or if the sieve implementation
is behind any MTAs that don't synchronously pass-through messages.
A careful reading of the draft will show that such implementations cannot support the refuse extension. Please reread the draft and let me know if this is not clear. (Section 3, first paragraph)

You are correct, but as a matter of fact, I do receive quite a bunch
of spam right from the sending host (spam companies or compromised (?)
dial-up systems) to a single recipient.  I have no numbers, though.

IMHO, messages should be refused at the earliest possible point.  I do not
like that refuse is not defined that way, leaving open where that point
is for a specific system.
OK, I agree with you here. Now we just have to come up with wording to make this clearer in the draft. Also, I have noticed that most drafts addressing spam have weak language such as:

"The handling of such messages is at the discretion of the verifier or final recipient." -DKIM draft ( http://ietf.org/internet-drafts/draft-allman-dkim-ssp-00.txt )
or
"... system MAY choose to reject or discard email on the
  basis of local policy...  The
  actual policy decisions are outside the scope of this document."
- http://spf.pobox.com/spf-draft-200406.txt (SenderID has very similar language.)
Then again, CSV has somewhat stronger language:
"...caution is required. The receiving SMTP server might:
   - Generate an SMTP session error, as suggested below.
   - Mark the message, to indicate that it failed validation.
   - Place the message into a special queue, for separate handling."
CSV CSA draft ( http://mipassoc.org/csv/draft-ietf-marid-csv-csa-02.html#anchor4 )

Would you be satisfied if I added this at the beginning of section 3?:
"Messages should be refused at the earliest possible point."

[Alexey: I am going to steal back the virtual edit baton, OK? Or have you already started making edits? IIRC you are holding it.]
I would prefer an action like "refuse at the
earliest point, and if that means bouncing, then bounce it".
How exactly does what you prefer differ from the action as I defined it in the current spec? The current spec indicates (several times!) that bouncing is a last resort and lists several negative side effects.
  As it is,
we have reject, which always bounces, and refuse, which always refuses.
I have to remember which system offers what for avoiding bounces where
possible.
Backwards compatibility is a #1$(_at_)%(_dot_) I expected there would be multiple objections if I tried redefining reject, which is the only reason I haven't tried.
 - shouldn't "open proxies" be "open relays"?  This is a reference
   to MTAs that relay without limits, right?

Open proxies may be correct.  For one, there is a bunch SOCKS proxies.
For another, there are many MTAs that do not count syntax errors
or enforce SMTP synchronisation points, thus being vulnerable to HTTP
proxies being used to CONNECT to port 25.  Sending spam through open
relays has become a little old-fashioned.
"Open proxies" is correct. With "open relays", the sentence doesn't make sense.
Michael


P.S.:  Alexey: 3042bisv4 gets a belated nod from me.


<Prev in Thread] Current Thread [Next in Thread>