On Sun, Dec 13, 2015 at 08:43:51PM -0800, Brandon Long wrote:
This practice has been abandoned because it is impossible to do, not
because people are bad. The system has a massive scaling problem.
DOSing an admin problem report mailbox is trivially easy, and it's
automatic, because spammers always send spam to known addresses like this.
So how on earth _could_ any operator of mail service behave in what you
are describe as a "professional, ethical, responsible fashion?"
It's really not that hard: in fact, the bigger the scale, the easier
it is -- because there are more computing and personnel resources
available to deal with it. And the bigger the scale, the more important
it is that this be done: a high-powered distributed mail system can
do a lot of damage very quickly, particularly to smaller operations.
With great power, comes great responsibility.
Solutions for the meta-abuse problems associated with role accounts
(not just "postmaster", but "abuse", "webmaster", etc.) are well-known
and can be adjusted to fit any environment. I've deployed some of
them, singly and in combination, and in practice with some gradual
fine-tuning over time they work. Not perfectly, of course -- hence
the need for ongoing fine-tuning -- but they do work.
[ If you'd like me to explain some of those in some detail,
contact me off-list. We're already wandering somewhat and
this message is long enough. ]
So that's not the problem. The problem is grasping that it's an obligation
and that you [rhetorical you, I don't mean to pick on you personally]
don't get to just blow it off just because it's nontrivial. If it's
too hard to run your service properly, then do the Internet a favor and
*shut it down*. You won't be missed, and you'll easily be replaced.
Nobody is so precious, nobody is so important, nobody is so special,
that they get a pass on this: not an operation with 5 users, not one
with 500 million. RFCs are not written with exceptions for prominence
or size: the rules apply to everyone. If you *choose* to participate,
then you have also *chosen* to play by the rules -- and to properly
discharge your fundamental responsibilities to the entire rest of
If the mail architecture is set up in such a way that people cannot
operate it according to the specifications, is that a problem with the
people, or with the architecture?
Oh, people can operate it that way: they're just choosing not to
because it's convenient and cheap -- the costs are borne by the
entire rest of the Internet, in the same way that pollution-spewing
industries impose their costs of operation on everyone else.
That's why, for example, some of the largest sources of spam that
makes it past my defenses are MAGY. They boast constantly about
how much they do to defend their users, and that's all fine and good,
but what are they doing to defend the rest of the Internet? And how
good a job can they be doing if they're sticking their fingers in
their ears in order to avoid hearing reports of abuse?
Here's a quick-and-dirty breakdown of spam received (e.g., not blocked)
at my primary addresses thus far in 2015:
1301 total over MAGY
2245 1495 other assorted sources, mostly snowshoe
So, roughly 1/3 of the 2015 spam that was addressed to me and made it past
my filters came from MAGY -- none of whom have answered an abuse complaint
ietf-smtp mailing list