Re: Input on identities

On 4/7/04 at 7:34 PM +0200, Markus Stumpf wrote:

> On Wed, Apr 07, 2004 at 11:49:39AM -0500, Pete Resnick wrote:
> > Many sites don't own records in the reverse space for their IP addresses,
> Then we should question why this is so and if it is needed or if it 
> can be handled by their ISP as well.
That means constantly coordinating with the ISP as to which IP 
addresses are and are not MTAs. For ISPs that just give out a block 
of IP addresses to the customer, that may be a huge increase in 
administrative burden.
> And we should also question why ISPs don't handle the revDNS any more.
A separate discussion, but sometimes it is because of the above: The 
ISP does not want to have to coordinate every time a customer makes a 
change to their forward DNS.
> And managing revDNS will probably be less work than to add LMAP type 
> records to all zones of all customers.
It depends on the setup. For an ISP with a large number of small 
customers who run their own DNSs, it will be more work. For those 
managing both forward and reverse, it depends on the number of MTAs 
and how often they change addresses.
> And the backdraw is that spammers can still use their networks of 
> cracked (mainly) dialin/DSL machines by publishing appropriate 
> information for their rogue zones and use them to spit out spam, 
> just like they do now.
I don't see a negative there. All I see is that HELO checking doesn't 
solve every problem. It doesn't. Neither does checking MAIL FROM. 
Neither does checking From:. Neither does checking the IP address 
against an RBL. HELO checking does two things: If there's a record 
that says "yes, that's my MTA", it allows you to trace back to the 
domain owner. That allows you set up a domain 
BL/accreditation/reputation system if you want. If there's a record 
that says, "no, that's not my MTA", then you can reject the 
connection after the HELO. Are those two things together worth the 
trouble of doing this? Maybe. It depends on how cheap it is to 
accomplish HELO checking. But saying that failing to solve other 
problems is a *negative* isn't an argument against doing so.
> Then we need another (DNS based?) accrediation system
I doubt it would be DNS based, but that's *way* out of scope for the 
current discussion.
> IP based lists are very simple, as they tell "the owner of the IP 
> space thinks this IP hosts a MTA that should sending messages across 
> the Internet". What each validator does with that information is up 
> to him. If some ISPs don't handle revDNS for their customers then 
> the market will kill those ISPs or they will handle revDNS for their 
> customers.
I agree. But doing a HELO based check isn't mutually exclusive with 
doing IP checks. There are cases where each are beneficial.
> The situation where IP based lists will not work is for MTAs on 
> dynamic address space. The question is whether we should encourage 
> hosting MTA on dynamic address space with regard to stability and 
> the spam problems we encountered over the last decade.
I have to wonder whether IPv6 is going to change the answer we might 
give to such a question.
> My fear is that LMAP style authorization mainly helps big sites to 
> be protected from joe jobs, but joe-loser.org who doesn't even know 
> what an IP adress is will be helpless and spammers will shift from 
> big mail service providers to zillions of small domains without 
> LMAP. The overall win will be zero for a very long time.
It's a reasonable fear, but I think over the long run even 
joe-loser.org will get the folks managing their domain to insert the 
appropriate record in the DNS to stop them from getting hit too. As 
above, none of this solves the entire problem; it's just plugging one 
hole in the dike that happens to be flowing like a firehose at the 
moment.
--
Pete Resnick <http://www.qualcomm.com/~presnick/>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102