[Top] [All Lists]

Re: [ietf-smtp] IETF Policy on dogfood consumption or avoidance - SMTP version

2019-12-26 16:36:20
Alessandro Vesely writes:

On Thu 26/Dec/2019 02:58:46 +0100 Sam Varshavchik wrote:

> A healthy portion of my spam folder is DMARC-signed, so that does a
> lot of good, in that regard…

Those domains are bad. Knowing their reputation, their messages could have gone to the spam folder based on authentication rather than content. Reputation, as standardized by rfc7073, is normally not used. Even if reputation is a key ingredient, it's not up to SMTP to mention that mail sites should maintain (and share) a database of email identities.

Who gets to be in charge of judging domain reputation, anyway? From my experience I have no faith in any scheme that involves a third party reputation provider.

DNSBLs are the best known third party reputation source providers, and they have a long track record. And my take is that their track record is somewhat spotty. I use two of them. My current stats are that my custom HELO/EHLO, SPF, and CBV checks block more than four times as much garbage as both of them combined; and I do believe I check the DNSBLs first, before expending additional resources on all other checks.

Some of these DNSBLs have existed for decades. If they were truly effective, you'd think there'll be just a trickle of spam left by now.

That folder I mentioned earler – full of DMARC-signed spam – it's not like it's just from a limited set of senders. I already blacklisted the persistent spam sources manually, since it appears that they tend to be concentrated on several hosting providers that ignore spam complaints, and the aforementioned DNSBLs appear to have a blind spot for those sewers. That DMARC-signed spam comes from all over the place, and attempting to chase down each one is pointless, since the sources keep changing, each time. Since none of the two popular DNSBL reputation providers have done anything about those spam-spewing hosting providers, that I can see, I have very little confidence in them tracking the churning domain sources of spam that remain after the low-hanging fruit gets filtered out by the existing low- cost checks.

Third party reputation service providers have some marginal value, in my eyes. They provide some value today. But I'm skeptical that they can be a complete solution to spam.

The only technical solution that I think has a chance of eventually getting rid of spam is the one that conclusively proves or disproves whether the mail sender is known to the /individual addressee/. Spam, by definition, comes from an unknown source, and it will not be able to prove that it's a known source. That means it can be filtered out, at that point. That's the root of the problem: spam, by definition, comes from a completely unknown source to the sender. Focus the technical solution on /that/. Having a reputation provider vouch for the reputation of the sender does nothing to address the fundamental nature of what spam is.

Any reputation-based scheme is doomed to eventually get corrupted. So, you have a reputation provider somehow used to assign a reputation to a sender, in some form or fashion. Details don't matter. It's only a matter of time before: 1) A deep-pocketed organization with a good reputation starts spamming, they think this gives them license to spam, 2) at this point either the reputation provider does nothing, crashing the whole scheme, or revokes the organization's reputation, 3) the deep-pocked organization sues the reputation provider for defamation, libel, or some other tort, they'll just make something up, 4) hillarity ensues.

Forget about a deep-pocketed organization. If sufficiently motivated, I could probably dig up a historical incident, or two, from circa 10-15 years ago, where a fly-by-night spambag sued a small, but popular and effective, volunteer-run blacklist, causing them to incur non-trivial legal expenses.. Who's going to fund the reputation provider for something like this, and how?

No, I do not believe that a third party reputation provider is the way to go here.

Attachment: pgp4MEWAIQbuA.pgp
Description: PGP signature

ietf-smtp mailing list
<Prev in Thread] Current Thread [Next in Thread>