On Thu, 16 Jun 2005, Dave Crocker wrote:
Keith,
it's possible to have open relays that don't contribute to spam. but
those relays need to employ some other means, e.g. rate limiting, to
Rate limiting is a relatively recent technique. Though very useful it has...
ummm, limited applicability.
I tried a "rate limiting" freeware a couple years ago. It didnt' work,
largely due to very poor programming. It had no locking. The programmers
didn't seem to understand that the program could be invoked
simultaneously. It worked only so long as there was only one message at a
time, a rate so slow as to not require rate limiting.
But abusers do look and behave differently from regular users. This can
be exploited to some extent. Slow queues that wait for an abuse pattern,
and so forth. But the best thing is to just block the blacklists from
scanning. And the techniques I just described to Tony Finch.
The problem is with zombies. They make mush of old-time models of spam, since
they demonstrate that a very small data stream from a single source can be
leveraged into a very, very large data stream, given enough sources.
It is interesting that the most recent "email authentication" scheme (SPF)
asists the zombies by identifying the ISP's (possibly closed) outgoing
relays. If the ISP happens to block port 25, which may be attractive to
residential ISPs which also happen to have the most zombies, then the
zombie needs to use the ISPs relays. Finding that relay for a thousand
different mail clients is a chore, and would have to be performed by a
severely limited virus payload. But along comes SPF, and identifies those
relays for the zombie. Foot, gun, trigger. Or perhaps SPF was more
intentional, and also happened to be a great source of money.
I don't know how much experience you have trying to do such tracing, but the
spamops folks have made quite clear that it is both vastly more effort and
considerably less productive, than one might expect. Again, there is no way
that relying on that is a reasonable best practise on the current Internet.
As
a small example, not that spammers now are stealing IP Address blocks. That
pretty much kills backtrace accountability.
The spamops folks are frequently unreasonable in this respect. They have
asserted, for example, that one cannot trust _any_ mail headers. They
expect _immediate_ results. Those are just unreasonable demands. No ISP
is going to cancel a users account on the say-so of some unreasonable
anti-spammer, who (as a group) are already well-known for outright lying,
revenge, and defamation.
Tracking a spam zombie requires a bit of patience and persistence. There
is nothing that will make that easier, except perhaps a standard abuse
submission protocol (which I proposed back in 1999).
unfortunately, the vigilante character of various open-relay blacklists
blacklists are not the subject of this BCP.
Its couched in terms to avoid that, and just assumes the blacklists claims
about open relays are right.
killed any attempt at this kind of innovation. just as we're now in
danger of various kinds of brain-dead "authentication" methods and
meaningless requirements killing useful email functionality.
new authentication methods are not the subject of this BCP.
It doesn't specify a specific method. It just says that email
authetication should be used.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf