spf-discuss
[Top] [All Lists]

how blacklisting will work in the future

2004-01-12 08:37:39
On Mon, Jan 12, 2004 at 04:07:47PM +0100, Dr. Ernst Molitor wrote:
| 
| please be serious. If a single vote saying a spam trap has been hit
| would be sufficient to block an e-mail server, this would open up a
| simple way to shut down virtually all e-mail traffic within minutes. You
| wouldn't want that kind of DOS attack, would you?
| 

Today, we have DNSBLs.  DNSBLs return a binary yes/no response: either
"known bad" or "no response".  All the IPs that could potentially be
"known good" are lumped in with "no response".  Already we see a
precision problem.

DNSBLs try to discriminate the entire IPv4 space.  As I wrote in my
Linux Journal article:

    IPv4 space is 32 bits wide.  2^32 is about 4.2 billion.  4.2 billion
    grains of sand would just about fill a pickup truck.  Imagine trying to
    paint each individual grain black or white.

    IP-based blacklists are a valiant effort, but they operate at too low a
    level.  A good DNSBL has to decide whether an IP address is spammy or
    not, and get it right, for each of 4.2 billion IP addresses.  No wonder
    DNSBLs come and go: their maintainers burn out and give up.

On Friday, Eric Raymond will talk about greylisting as an antispam tool
to work in combination with SPF.

This is how greylisting works.  If you return 4xx to a legitimate MTA,
it will queue the message for later retry.  If you're talking to a
known-good sender, you don't need to greylist.  If you're talking to a
known-bad sender, you don't need to greylist.  But if you don't know
whether a sender is known good or bad, you need to give your reputation
provider some time to arrive at a decision.

Greylisting and DNSBLs don't work well together because the "known-good"
are lumped in with the "no data known".

So, in the future, things may work something like this.

- suppose a spammer goes out and buys a new domain, 32434offerz.com
- the spammer goes out and infects 10,000 new windows machines
- those the domain is not listed in RHSBLs
- those machines are not listed in DNSBLs
- the spammer starts a spam run.

- one of those 10,000 machines connects to your MTA.
- your MTA asks the DNSBLs about the client IP.
- the DNSBL returns "no-data".
- the DNSBL would also return "no-data" for a known good server.
- you cannot make a spam/nonspam decision based on the DNSBL.

- your MTA asks the RHSBLs about the client IP.
- when I say RHSBL, I mean a next-generation RHSBL that gives a richer answer.
- the RHSBL says:
  - i have no reported data about 32434offerz.com.
  - this itself is unusual.
  - it could be because the domain is new.
  - new domains could be good or could be evil.  we don't know.
  - i recommend that you ask me again the next time they connect.
- you return a 4xx tempfail response.  this is greylisting.
- at some point in the next ten minutes, the spammer will hit a spamtrap.

- let's say the spamtrap will report the spammer to DNSBLs and RHSBLs.
- a DNSBL that gets a report from the spamtrap now knows about the bad client 
IP.
- that bad client IP is one out of 10,000.
- an RHSBL that gets a report from the spamtrap now knows about the bad domain.
- the entire spam run is conducted with that domain.

- an hour later, the spammer tries to connect again.  you check back with the 
RHSBL.
- the RHSBL says:
  - The following statistics count SPF-validated transactions only.
  - 32434offerz.com has been known to me for X hours.
  - 32434offerz.com has reportedly sent a total of N messages.
  - 32434offerz.com has been reported by M spamtraps.
  - 32434offerz.com has been reported by H humans as a spammer.
- you have your own policies which use the above numbers as inputs to an 
algorithm.
- you decide whether to
  - reject the message with a URL saying "you look like a spammer"
  - accept the message, but content-filter it
  - accept the message without further scrutiny

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡