Re: Everyone Greylists Except Honeypots ... So Let's Not Spam Honeypots!

On Dec 5, 2007, at 6:51 PM, John C Klensin wrote:

> This type of reasoning is exactly the reason why some of us are  
> skeptical about greylisting and any other technique that works well  
> only if it is used by sufficiently few people.   If it starts being  
> used enough, the spammers have the incentive to figure out how to  
> simulate the behavior that gets past the traps and then, sooner or  
> later, it isn't worth bothering with.  The skepticism leads some of  
> us to wander away from conversations about how wonderfully effective  
> the technique while muttering "arms race".   Others wander off in a  
> slightly different directions muttering "making the bad guys smarter  
> is really not a good strategy"
> At least the first of those sources of muttering noises does not  
> suggest that you shouldn't use a method that works for you as long  
> as it does work for you (others might disagree about that). It does  
> mean, I think, that you should be somewhat careful about praising  
> the method to others or assuming that it will last forever.  And  
> then there is the part I worry about most, which is that we will  
> make basic changes to the email protocols in order to make things  
> work better, for a short time, for these relatively short-life- 
> expectancy techniques.
SMTP's inability to reliably identify where a message originated has  
caused inordinate reliance on content filtering.  While at first,  
content filtering had been fairly effective, this in turn has caused  
spammers to improve their obfuscation techniques at a rate that has  
become impractical for receivers to match with resources.
For each direct source of spam, there are 4 sources of spam emerging  
from tens of millions of MTAs as DSNs.  The abuse of DSNs is seriously  
eroding email's integrity.
Few MTAs can operate and accept message for all recipients.  The  
inability for MTAs to handle all possible traffic exposes valid  
recipients to being discovered.
Providers of domain names, IP addresses, or certificates have a  
conflict of interest, and are unable to prevent access to spammers.
SMTP can not even mandate the use of an MX record to avoid searching  
for policy records.
Reputation assessments of the last hop IP address is causing spammers  
to merge their traffic with other domains.  Often this merging is  
accomplished through compromised residential systems.  The doubling  
rate is at six months, quickly making last hop reputation assessments  
less meaningful.
While DKIM attempts to provide essential transport information, it is  
also prone to replay abuse and employs public key cryptography where  
sign-once / send-many gives transmitters a resource advantage.
Grey-listing does not afford any long term strategy.  However, the use  
of temp errors can help avoid a complete denial of service as a triage  
strategy for limited receiver resources.  Reputation is then used to  
establish priority.  Processing undesired messages can exceed 99% at  
very high volumes.  This is not how the Internet should work.  A basic  
change to SMTP is needed to shift the burden toward the transmitter.   
Greylisting increases the number of transactions per message, so  
ultimately, this is headed in the wrong direction.
The TBR reference exchange can be done within a single transaction.   
The transmitter is required to hold messages until the receiver is  
ready.  With a high level of source granularity, message origination  
reputation should be able match the transmitter's level of abuse and  
not breed super spam.  References can be retained for a period of  
time, where abuse pattern can be detected and used to silently expunge  
abusive sources.
-Doug