Michel Bouissou <michel(_at_)bouissou(_dot_)net> wrote:
Le mercredi 4 Ao?t 2004 02:37, John Leslie a ?crit :
If there is any "mandate" to use accreditation services, it won't be
coming from MARID. However, burying our heads in the sand won't help:
At best, MARID can verify that a domain intends to authorize particular
actions by MTAs: we can say nothing about whether this authorization
gives the receiver good reason to trust that MTA.
There must be accreditation services (by whatever name we call them)
to provide that critical information link.
Do we actually need to have "good reasons to trust a MTA" to start
accepting mail from it, or do we barely need to be able to stop
accepting mail from ill-behaved domains once they're flagged as "bad" ?
This is a distinction without a difference: we need "good enough"
reasons to trust the MTA using that EHLO domain-name.
"Good enough" is in the eye of the beholder.
Hopefully, most sites will accept email from previously-unknown domains
until the first instance of abuse (which can be propagated by reputation
services within seconds); and accept email from previously-trusted domains
until a pattern of abuse (possibly extending over several days) is seen.
But all of that is a local option; and local options will drive the
kinds of reputation services which are widely used.
(Fortunately, there's a gray area between accept-unconditionally and
reject-unconditionally, involving various devices like rate-limiting.)
Once we have a system that ensures that mail is not forged, and comes
from a MTA that is authorized by the domain to which it belongs, I
believe we have enough.
Not everyone will agree with you...
If this domain is ill-behaved, it will rather soon get blacklisted at
spamhaus.org, ROKSO, (put the name of your favourite spam-operations
blacklist here), and we can soon stop accepting mail from it.
... a particular kind of reputation service which I'm sure will
continue...
I don't believe that spammers can eternally keep on purchasing tens of
throw-away domains and change hosting or "their legitimate spam-sending
servers" everyday.
Time will tell...
In this regard, reactive blacklists seems to me to be more useful than
"accreditation services".
Reactive blacklists are one kind of reputation service. The importance
of accreditation services is to allow a mechanism to automate recovery
from listing by reactive blacklists.
Yes, there will be costs associated with getting accreditation services
to (favorably) list you. I believe we can minimize those costs; and I
believe we can make it possible for many domains to avoid even minimal
costs, so long as they're "well-behaved".
Hummm... I think we yet have to see this. And I sincerely wonder if
every little business and shop-around-the-corner will get its domain
listed by such "accreditation services".
Most likely not... until they run afoul of blacklists.
If they don't (and they mostly won't), then accreditation services
won't be of that much use, as you will never be able to reject mail
from all-the-domains-that-are-not-listed, just as today it is
impractical to reject mail from all the MTAs which doesn't have any
PTR in-addr record.
I don't believe anyone in MARID is seriously proposing to reject all
email which isn't listed. (The closest I've heard of is delaying email
which doesn't come from a "listed" MTA; and that wasn't proposed for
everyone: just for a few domains in order to jump-start implementation.)
Conceivably, Michel would actually prefer to spend time trying to
convince a swarm of "free" services to de-list an IP range, rather
than to pay a few dollars to one accreditation service. Personally,
I doubt that's the majority opinion...
The best would be not to be listed at all ;-)
Not always possible...
I already have lost some hours a couple of times trying to get delisted,
sometimes from some ISPs "internal" blacklists that had listed a
complete /16 or the like, and usually, being polite and professional is
enough to succeed quickly.
"Usually" may not be good enough; and "some hours" may be more expensive
for some than for others. (Not to mention the cases where you don't even
learn which service is blacklisting you.)
Blacklists that keep you listed for no reason and refuse to delist you
forever, yes, there are some (check my IP at openrbl.org, you'll find
ONE that keeps a /16 listed and refuses to hear about delisting
innocents), but such unprofessional blacklists are seldom used by
serious companies for mail filtering.
That they're used at all can be a problem.
IMHO, one should be deemed innocent until proved guilty, and the
"accreditation services" system turn the things upside-down : One
will be presumed guilty unless listed as innocent. Bad, bad, bad.
I don't see that kind of "accreditation service" as useful --
though I agree it's going to happen. I believe we can best avoid it
by offering a better alternative.
...which would be...?
...accreditation services which list you favorably at minimal charge
until abuse is discovered.
--
John Leslie <john(_at_)jlc(_dot_)net>