From: Paul Vixie <vixie(_at_)vix(_dot_)com>
If you believe that "reputation" or "trust" systems might help the
spam problem, then the only room for improvement is in the trust query
protocol. DNS is a screw driver being used as a hammer in DNS blacklists.
However, this is merely a matter of optimization or elegance.
so, it's possible that there is some overlap between my universal privacy
goals, and my support for the long-awaited dnssec extensions, and my support
for the procket/juniper/cisco/paix/nasa/verio/shepfarm/isc multicast
deployment effort.
DNSSEC would be a Good Thing(tm) on its own merits, but I don't see
any direct connection between it and a replacement for DNS blacklists.
Of course a replacement would start without reasonable authentication.
If you insist on using DNS screwdrivers as SMTP authorization hammers,
then DNSSEC blacklists would be a minor improvement. DNS has the wrong
sorts of caching as well as the wrong sort of data for a reputation
database. You want answers better than 32 bit number (PTR RR) or an
ASCII string (TXT RRT).
I don't see what multicast has much to do with my SMTP server asking
my chosen (and hired) clearinghouse about the reputation of the owner
the IP address of an SMTP client. Some sort of anycast might be a
good optimization. I guess anycasting can be seen as a form of
multicasting. Is that what you mean?
] From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
] I had some preliminary conversations with blacklist operators about
] this. There wasn't any interest in making a better protocol, but some
] people did expressed a need to document the existing one.
People with working code and large customers bases rarely choose to
replace a servicable solution like the current DNS blacklist kludge
with a proper solution, no matter how much more elegant.
Replacing the DNS blacklist kludge with something better today would
be little more than arranging the deck chairs. What's needed is to
patch the hole in the hull, or for more ISPs to do as Earthlink has
done in recent years and get serious about dealing with spam. Earthlink
is far from perfect, but they are far better than they were and far,
far better than other outfits. For example, as far as I can tell,
today an SMTP connection from Comcast is likely to be carrying spam,
while a connection from Earthlink probably isn't. If you don't have
your own traps, see the numbers at http://www.senderbase.org/
or the better but less immediate numbers at http://spamhaus.org/
} From: "Robert G. Brown" <rgb(_at_)phy(_dot_)duke(_dot_)edu>
} ...
} The one other place that I think there COULD be room for improvement is
} to make the process of identifying sites that are originating spam or
} viruses more rapid and automatic, and to create a better/more formal set
} of rules responding to a site (or an entire SP subnetwork) postmaster.
} Such work might actually spell out all the steps between reporting and
} being blacklisted.
I strongly disagree. There is and can be nothing better than the IP
address of the SMTP client for identifying the orgin of a mail message.
Some will object that's not the origin, but they're generally repeating
the nonsense and lies of ISPs trying to duck blaim for supporting
spammers. The practical origin of a paper letter is wherever the
postals service, FedEx, etc. accepts it, no matter whether you wrote
it while standing in the post office, at home, at work, or in an
airplaine 35,000 feet above practically unknowable real estate.
Yes, I've heard about UUCP, SMTP relays, smarthosts, and so forth and
so on. As far as your SMTP server is concerned, a good, sufficient,
and necessary definition of the origin of a mail message is the IP
address of the sending SMTP client. It doesn't matter whether the
sending IP address is an open proxy on a Comcast network, a system in
China, or Dell Computers' "newsletter" senders. The IP address as
good as anything else could be, and already available. It's only
defect is that it makes ISPs responsible for taking Ralsky's money.
} If every ten pieces of spam sent out of an SPs network -- even every 100
} pieces -- generated a complaint message to postmaster with headers laid
} out that clearly identified the offending host/client, I think that it
} would provide SPs with a real incentive, AND the tools, to address the
} problem.
I used to say that, but then I saw that even (or especially) the worst
ISPs can figure out how to connect postmaster@ to /dev/null or to an
autoresponding ignorebot that lies about the responsibility of the ISP.
| From: John Leslie <john(_at_)jlc(_dot_)net>
| > - If you say that you can't trust ISPs to check that a new customer
| > is not Al Ralsky in disguise or one of his proxies, then you must
| > say the same about any other organization.
|
| ISPs operate in a _very_ different business environment than, say,
| UNICEF.
Possibly true but certainly irrelevant.
| > - If you say that ISPs cannot check the reputation of new customers
| > for a $30/month account, then you must say the same about any
| > other organization.
|
| ISPs offering $30-per-month service are very likely losing money
| (and worrying who to lay off next).
True and relevant, but only in the sense that any outfit that might
sell trust assurances might have trouble doing it for $30/month.
| Your bank, OTOH, is probably
| doing nicely on less than $30-per-month service charges.
If that is true, then an ISP could do the same. I think it is true
only in a facile and fundamentally false sense. My banks makes money
on more than my explicit service fees, which are approximately $0/year.
| Also, some
| ISPs have no reason to worry much about their reputation, because
| they have in effect a government-mandated near-monopoly.
No matter how often anyone says that, it remains false. By now the
base motives for that old nonsense should be considered. Outside some
totalitarian regimes, there are no monopolies of any sort on real real
Internet access. There are monopolies on some imitation Internet
servcies at price points that some claim are related to basic human
rigts, while expecting us to ignore the fact that the $15-$35/month
point they claim necessary to protect their basic human right to send
mail is 10 or 100 times too high for the vast majority of humanity.
| > - If you trust some of those other outfits to revoke their virtual
| > letters of introduction and recommendation, then you must be
| > willing to trust some ISPs to do the same and terminate accounts.
|
| Ah, yes, but _which_ ISPs?
Currently the ISPs certified by your choice among your personal
blacklists, the SBL, CBL, XBL, SPEWS, MAPS, ORDB, etc.
| ...
| The second part (terminating) is not true, IMHO. There's a real
| danger of getting sued for that, not to mention the loss of revenue.
The second part of that is relevant. An ISP that refuese to terminate
a spammer for fear of lost revenue does not have any IP addresses
that many of us want conencted to our SMTP servers,
The first part is nonsense spread by spammers and dishonest, spam-friendly
ISP spokeslime. ISPs have no problems terminating customers with less
than minimal evidence. Within the last 10 days, I watched a business
customer, not merely a home end-luser, get cut off by a major ISP with
telco connections for some time because it failed to respond to a report
of mine. Of course an ISP must be careful to avoid breaking contracts
and so forth, but that does not prevent termination. Why else is the
spam advertising "bulletproof hosting" common?
Vernon Schryver vjs(_at_)rhyolite(_dot_)com