From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
...
This is a human problem, not a technical one - the ISPs are unwilling in
many cases to handle abuse reports seriously, or are unwilling to invest
in any kind of infrastructure to detect abuse. For example, one of the
ideas floating around the ASRG has been a BCP for handling hijacked
machines. A detection mechanism would be in place that counts outbound
email from a given machine or subscriber, and if that usage spikes the
mail would be queied and the subscriber notified.
The ISP can't queue mail that doesn't go through its smarthosts.
It can only block port 25. That generally causes mail to be lost,
whether from legitimate MTAs to distant MUAs or from spamware.
How many ISPs actually
willing to do that (although ComCast begun shutting down accounts of
hijacked machines)? What monetary incentive would the ISPs have to do
that? And even if the IETF publishes the BCP, there is no way to enforce it.
At $30/month, an ISP can't afford to do much watching for spikes. It
certainly can't hold the hands of users who couldn't be bothered to
install virus defenses or not open attachments. About all that a
"consumer grade" ISP can afford to do is preemptively block outgoing
port 25, 135, etc. for all customers. I've been complaining for years
that is slum tenement Internet service, but it seems to all that must
users are willing to pay for, in money and in acquiring and using
technical expertise (e.g. virus filters and not opening attechments).
If the IETF would officially define "slum tenement Internet service"
(with better words, of course), then truth in advertising laws, the
value of product differentiation to ISPs, and savvy users might make
port 25 filtering universal where it is needed and absent elsewhere.
That would stop lunacy like blacklisting any IP address whose reverse
DNS name contains the substring "dsl."
I do not see how the IETF can do anything to force ISPs to handle abuse
complaints more seriously. This is why people tend to to block ISPs and
IP blocks unilaterally in order to force ISPs to take action (not to say
that I necessarily agree with it). The only two things that I see here
that can be done by the IETF is either to facilitate easier abuse
handling by ISPs via standard formats for abuse reports;
ISPs don't need to exchange abuse reports, but to deal with their own.
There's no value in standardizing the unidirectional stream of abuse
reports from the spam-hostile part of the Internet to the spam friendly
part that largely ignores reports of abuse.
or provide some
kind of standards for exchanging reputation data among receivers. Both
still rely on the human decisions made by both ISPs and receivers on how
this data is used.
Exchanging reputation about receivers makes as little sense as announcing
consent to receive mail or solving spam with authentication. You can't
trust people to announce their own reputations or to obey your announced
refusal to receive spam. Reputation exchanges are either systems
like TrustE's that in practice certify untrustworthiness and functional
equivalents of the current DNS blacklists.
Wise blacklist operators, and I think all major blacklist operators
do not, could not, and would not have any reputations to exchange.
You can add to your backlist only based on evidence that you can defend
in court. Reports from outsiders, including users of your blacklist,
are almost useless.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com