[Top] [All Lists]

Re: draft-atkins-smtp-traffic-control

2011-10-31 21:27:55

On 10/31/11 1:23 PM, Murray S. Kucherawy wrote:
On Monday, October 31, 2011 9:24 AM, Steve Atkins wrote:

Yahoo! is currently handling somewhat over 300,000 delivery attempts a
second[1]. You don't need to increase the average cost of a mail delivery
(either by increasing the cost of a delivery attempt or by increasing
the number of delivery attempts per message) by much for it to add
up to significant costs.
I believe it, but to be fair, they also have not come forward to indicate that 
this is hurting them.  Thus, I have to conclude they can handle it just fine.
As long as there is adequate network bandwidth and server resources, email is not likely to see problems. When the assumption of adequate resources is not true, it becomes difficult to know whether there is a problem since there won't be evidence of a problem seen in receiving MTA logs. These logs will not include the number of incomplete connections.

Those on smaller networks, such as with schools or those in rural areas, coping with email abuse often requires servers located in data-centers bringing the joy of paying at the 95 percentile of network traffic and the cost of server space and power consumption, in addition to the Internet connectivity needed to browse the Internet and to transfer filtered email.

We offer a strategy where abusive IP addresses are kept from competing with legitimate senders. While this strategy works fairly well at reducing server and network loads, it seems unlikely this strategy can be extended to cover IPv6 which currently has 65k times the announced IP address space over the maximum available in IPv4. This large space is also growing exponentially well beyond that of Moore's law. Those who decide to not offer IPv6 connectivity will find IPv4 will impose a growing percentage of addresses representing a dynamic and uncategorized range of senders sharing the same addresses.

A hybrid approach where connections are first established using Kerberos could provide a good solution. MIT has made an implementation of Kerberos freely available, under copyright permissions similar to BSD licensing. In 2007, MIT formed the Kerberos Consortium where sponsors include Oracle, Apple, Google, Microsoft, and Centrify. The IETF has the krb-wg supporting Kerberos.

By taking a layered approach where SMTP uses Kerberos tickets as a basis for acceptance, IPv6 address information can be obtained to open access to SMTP servers, where connections can also be validated using Kerberos tickets. An extension to SMTP-Auth would be run in conjunction with the infrequent use of Kerberos leveraging PKI or DANE. This would permit an efficient exchange of email able to avoid much of the costs associated with email abuse.

The many problems created by reputation systems that fail to authenticate the entities being rated can be avoided as well. Kerberos is already being heavily used by Apple and can support the integration of other Internet based services.