[Top] [All Lists]

Re: [ietf-smtp] IETF Policy on dogfood consumption or avoidance - SMTP version

2019-12-27 03:13:19
On Thu 26/Dec/2019 23:36:05 +0100 Sam Varshavchik wrote:
Alessandro Vesely writes:
On Thu 26/Dec/2019 02:58:46 +0100 Sam Varshavchik wrote:

A healthy portion of my spam folder is DMARC-signed, so that does a
lot of good, in that regard…

Those domains are bad.  Knowing their reputation, their messages could have
gone to the spam folder based on authentication rather than content. 
Reputation, as standardized by rfc7073, is normally not used.  Even if
reputation is a key ingredient, it's not up to SMTP to mention that mail
sites should maintain (and share) a database of email identities.

Who gets to be in charge of judging domain reputation, anyway? From my
experience I have no faith in any scheme that involves a third party 

DNSBLs are the best known third party reputation source providers, and they
have a long track record. And my take is that their track record is somewhat
spotty. I use two of them. My current stats are that my custom HELO/EHLO, SPF,
and CBV checks block more than four times as much garbage as both of them
combined; and I do believe I check the DNSBLs first, before expending
additional resources on all other checks.

DNSWL also exist, and some of them do a fairly good job.  Of course, they
happen to whitelist spammers, or, as well, whitelisted MTAs happen to spew spam.

Some of these DNSBLs have existed for decades. If they were truly effective,
you'd think there'll be just a trickle of spam left by now.

That folder I mentioned earler – full of DMARC-signed spam – it's not like 
just from a limited set of senders. I already blacklisted the persistent spam
sources manually, since it appears that they tend to be concentrated on 
hosting providers that ignore spam complaints, and the aforementioned DNSBLs
appear to have a blind spot for those sewers. That DMARC-signed spam comes 
all over the place, and attempting to chase down each one is pointless, since
the sources keep changing, each time. Since none of the two popular DNSBL
reputation providers have done anything about those spam-spewing hosting
providers, that I can see, I have very little confidence in them tracking the
churning domain sources of spam that remain after the low-hanging fruit gets
filtered out by the existing low-cost checks.

Third party reputation service providers have some marginal value, in my eyes.
They provide some value today. But I'm skeptical that they can be a complete
solution to spam.

The only technical solution that I think has a chance of eventually getting 
of spam is the one that conclusively proves or disproves whether the mail
sender is known to the /individual addressee/.

If users send out mail using the domain's MTA —as they should— the MTA can keep
a count of messages sent to and received from each domain.  I don't count
messages to/from abuse or postmaster accounts (perhaps I should also exclude
info).  It is unusual to get spam from a domain that has both counters
positive.  I'd guess that that is nearly as good as individual addressee.  On
the other hand, while different domains have different policies about allowing
users to use varying From: values, receivers only get an SPF and/or DKIM
authentication, which covers the domain-part of the address only.

However, what usually happens is to get mail from new domains.  Even after
years, the number of new domains per day is not decreasing.  It is a mixture of
good and bad domains.  Many of the bad ones are trash domains, especially with
the new TLDs.

Having a reputation provider vouch for the reputation of the sender does
nothing to address the fundamental nature of what spam is.

Correct.  However, it can tell if a domain is a stable mail site, with a
responding abuse team, or, say, (one of yesterday's pile).

Any reputation-based scheme is doomed to eventually get corrupted. So, you 
a reputation provider somehow used to assign a reputation to a sender, in some
form or fashion. Details don't matter. It's only a matter of time before: 1) A
deep-pocketed organization with a good reputation starts spamming, they think
this gives them license to spam, 2) at this point either the reputation
provider does nothing, crashing the whole scheme, or revokes the 
reputation, 3) the deep-pocked organization sues the reputation provider for
defamation, libel, or some other tort, they'll just make something up, 4)
hilarity ensues.

Another possibility is to devise some sort of neighboring communities whereby a
mail domain can get the worthiness of the sending domain from a multitude of
third party domains, possibly weighting their advice by the worthiness of each
purveying domain in turn, and averaging the result.  Not so straightforward,
but maybe possible.

Then, it will always happen to have a user's identity stolen or some such.
Like car accidents, one can never stop them for good.  Authentication, if done
well, provides for reporting abuse.  Complaining about someone's behavior is
the proper way to cure the social aspect of spam, to improve sensible behavior
in order to reduce the number of accidents.


ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>