Le mercredi 4 Août 2004 02:37, John Leslie a écrit :
If there is any "mandate" to use accreditation services, it won't be
coming from MARID. However, burying our heads in the sand won't help:
At best, MARID can verify that a domain intends to authorize particular
actions by MTAs: we can say nothing about whether this authorization
gives the receiver good reason to trust that MTA.
There must be accreditation services (by whatever name we call them)
to provide that critical information link.
Do we actually need to have "good reasons to trust a MTA" to start accepting
mail from it, or do we barely need to be able to stop accepting mail from
ill-behaved domains once they're flagged as "bad" ?
The current major problem with spam comes from the zombies everywhere, and the
systematically forged Return-Path, From: and Received: headers.
Once we have a system that ensures that mail is not forged, and comes from a
MTA that is authorized by the domain to which it belongs, I believe we have
enough.
If this domain is ill-behaved, it will rather soon get blacklisted at
spamhaus.org, ROKSO, (put the name of your favourite spam-operations
blacklist here), and we can soon stop accepting mail from it.
I don't believe that spammers can eternally keep on purchasing tens of
throw-away domains and change hosting or "their legitimate spam-sending
servers" everyday.
In this regard, reactive blacklists seems to me to be more useful than
"accreditation services".
Yes, there will be costs associated with getting accreditation services
to (favorably) list you. I believe we can minimize those costs; and I
believe we can make it possible for many domains to avoid even minimal
costs, so long as they're "well-behaved".
Hummm... I think we yet have to see this. And I sincerely wonder if every
little business and shop-around-the-corner will get its domain listed by such
"accreditation services".
If they don't (and they mostly won't), then accreditation services won't be of
that much use, as you will never be able to reject mail from all-the-domains-
that-are-not-listed, just as today it is impractical to reject mail from all
the MTAs which doesn't have any PTR in-addr record.
But I don't believe we can avoid accreditation services altogether.
This will introduce costs that many non-profit, personal or vanity
domains will not be able to afford,
I specifically dispute that. Unless we do nothing at all _and_ an
unlikely series of events all happen, nobody's going to be forced to
register with one central expensive accreditation service. The horror
of having to register with multiple expensive accreditation services
can't (IMHO) get much worse than it already is.
?
and I oppose the idea that anybody should have to pay a commercial
company for being allowed to send mail.
Conceivably, Michel would actually prefer to spend time trying to
convince a swarm of "free" services to de-list an IP range, rather than
to pay a few dollars to one accreditation service. Personally, I doubt
that's the majority opinion...
The best would be not to be listed at all ;-)
I already have lost some hours a couple of times trying to get delisted,
sometimes from some ISPs "internal" blacklists that had listed a complete /16
or the like, and usually, being polite and professional is enough to succeed
quickly.
Blacklists that keep you listed for no reason and refuse to delist you
forever, yes, there are some (check my IP at openrbl.org, you'll find ONE
that keeps a /16 listed and refuses to hear about delisting innocents), but
such unprofessional blacklists are seldom used by serious companies for mail
filtering.
IMHO, one should be deemed innocent until proved guilty, and the
"accreditation services" system turn the things upside-down : One
will be presumed guilty unless listed as innocent. Bad, bad, bad.
I don't see that kind of "accreditation service" as useful --
though I agree it's going to happen. I believe we can best avoid it
by offering a better alternative.
...which would be...?
The advantage of blacklists, on the opposite, is that, if ever you
get listed, there is probably a reason,
Evidently, Michel hasn't experienced blacklisting as I have.
As you have, I don't know, but yes, and enough for me anyway ;-)
--
Michel Bouissou <michel(_at_)bouissou(_dot_)net> OpenPGP ID 0xDDE8AC6E