Hi Doug,
This sounds urgent. I am not seeing this urgency, but maybe we just
have it under control.
Another side question Doug, is this an application-level based
filtering? Can one be authenticated lets say for SMTP but not WEB?
Is the filtering applied across all protocols? Is it the IP or mail level?
I see interesting scenarios when good guys who actually fail to connect
and authenticate via one protocol and when a limit is reached, the IP is
(optionally) blocked across all other entry points as well for a limited
period. Its all done automatically, they forget they need to wait for 5
minutes! Its works great auto-protecting them against "bad guys."
--
HLS
On 3/29/2013 1:28 PM, Douglas Otis wrote:
On Mar 29, 2013, at 9:58 AM, "John Levine" <johnl(_at_)taugh(_dot_)com> wrote:
As a result, it is questionable whether any IPv6 address-based reputation
system can be successful (at least those based on voluntary principles.)
It can probably work for whitelisting well behaved senders, give or take
the DNS cache busting issues of IPv6 per-message lookups.
Since a bad guy can easily hop to a new IP for every message (offering
interesting new frontiers in listwashing) I agree that it's a losing
battle for blacklisting, other than blocking large ranges of hostile
networks.
Fortunately, the IETF as a whole is not called upon to solve this
problem right now. People interested in mail reputation are welcome
to drop by the spfbis WG and the discussions in appsarea about
updating authentication and authentication logging RFCs.
Dear John,
The Internet is under a DDoS attack specifically against an email address
reputation service. This affects everyone, especially the IETF.
Strategies not premised on low overhead AUTHENTICATION are of little benefit.
We can no longer continue business as usual. I call upon the IETF to solve
this problem. It is within their charter. It is within their capabilities.
We can not make everyone upgrade, but we can establish a path that has a chance
of offering a solution.
Regards,
Douglas Otis