> From: Paul Vixie <[EMAIL PROTECTED]> > > If you believe that "reputation" or "trust" systems might help the > > spam problem, then the only room for improvement is in the trust query > > protocol. DNS is a screw driver being used as a hammer in DNS blacklists. > > However, this is merely a matter of optimization or elegance. > > so, it's possible that there is some overlap between my universal privacy > goals, and my support for the long-awaited dnssec extensions, and my support > for the procket/juniper/cisco/paix/nasa/verio/shepfarm/isc multicast > deployment effort.
DNSSEC would be a Good Thing(tm) on its own merits, but I don't see any direct connection between it and a replacement for DNS blacklists. Of course a replacement would start without reasonable authentication. If you insist on using DNS screwdrivers as SMTP authorization hammers, then DNSSEC blacklists would be a minor improvement. DNS has the wrong sorts of caching as well as the wrong sort of data for a reputation database. You want answers better than 32 bit number (PTR RR) or an ASCII string (TXT RRT). I don't see what multicast has much to do with my SMTP server asking my chosen (and hired) clearinghouse about the reputation of the owner the IP address of an SMTP client. Some sort of anycast might be a good optimization. I guess anycasting can be seen as a form of multicasting. Is that what you mean? ] From: Yakov Shafranovich <[EMAIL PROTECTED]> ] I had some preliminary conversations with blacklist operators about ] this. There wasn't any interest in making a better protocol, but some ] people did expressed a need to document the existing one. People with working code and large customers bases rarely choose to replace a servicable solution like the current DNS blacklist kludge with a proper solution, no matter how much more elegant. Replacing the DNS blacklist kludge with something better today would be little more than arranging the deck chairs. What's needed is to patch the hole in the hull, or for more ISPs to do as Earthlink has done in recent years and get serious about dealing with spam. Earthlink is far from perfect, but they are far better than they were and far, far better than other outfits. For example, as far as I can tell, today an SMTP connection from Comcast is likely to be carrying spam, while a connection from Earthlink probably isn't. If you don't have your own traps, see the numbers at http://www.senderbase.org/ or the better but less immediate numbers at http://spamhaus.org/ } From: "Robert G. Brown" <[EMAIL PROTECTED]> } ... } The one other place that I think there COULD be room for improvement is } to make the process of identifying sites that are originating spam or } viruses more rapid and automatic, and to create a better/more formal set } of rules responding to a site (or an entire SP subnetwork) postmaster. } Such work might actually spell out all the steps between reporting and } being blacklisted. I strongly disagree. There is and can be nothing better than the IP address of the SMTP client for identifying the orgin of a mail message. Some will object that's not the origin, but they're generally repeating the nonsense and lies of ISPs trying to duck blaim for supporting spammers. The practical origin of a paper letter is wherever the postals service, FedEx, etc. accepts it, no matter whether you wrote it while standing in the post office, at home, at work, or in an airplaine 35,000 feet above practically unknowable real estate. Yes, I've heard about UUCP, SMTP relays, smarthosts, and so forth and so on. As far as your SMTP server is concerned, a good, sufficient, and necessary definition of the origin of a mail message is the IP address of the sending SMTP client. It doesn't matter whether the sending IP address is an open proxy on a Comcast network, a system in China, or Dell Computers' "newsletter" senders. The IP address as good as anything else could be, and already available. It's only defect is that it makes ISPs responsible for taking Ralsky's money. } If every ten pieces of spam sent out of an SPs network -- even every 100 } pieces -- generated a complaint message to postmaster with headers laid } out that clearly identified the offending host/client, I think that it } would provide SPs with a real incentive, AND the tools, to address the } problem. I used to say that, but then I saw that even (or especially) the worst ISPs can figure out how to connect postmaster@ to /dev/null or to an autoresponding ignorebot that lies about the responsibility of the ISP. | From: John Leslie <[EMAIL PROTECTED]> | > - If you say that you can't trust ISPs to check that a new customer | > is not Al Ralsky in disguise or one of his proxies, then you must | > say the same about any other organization. | | ISPs operate in a _very_ different business environment than, say, | UNICEF. Possibly true but certainly irrelevant. | > - If you say that ISPs cannot check the reputation of new customers | > for a $30/month account, then you must say the same about any | > other organization. | | ISPs offering $30-per-month service are very likely losing money | (and worrying who to lay off next). True and relevant, but only in the sense that any outfit that might sell trust assurances might have trouble doing it for $30/month. | Your bank, OTOH, is probably | doing nicely on less than $30-per-month service charges. If that is true, then an ISP could do the same. I think it is true only in a facile and fundamentally false sense. My banks makes money on more than my explicit service fees, which are approximately $0/year. | Also, some | ISPs have no reason to worry much about their reputation, because | they have in effect a government-mandated near-monopoly. No matter how often anyone says that, it remains false. By now the base motives for that old nonsense should be considered. Outside some totalitarian regimes, there are no monopolies of any sort on real real Internet access. There are monopolies on some imitation Internet servcies at price points that some claim are related to basic human rigts, while expecting us to ignore the fact that the $15-$35/month point they claim necessary to protect their basic human right to send mail is 10 or 100 times too high for the vast majority of humanity. | > - If you trust some of those other outfits to revoke their virtual | > letters of introduction and recommendation, then you must be | > willing to trust some ISPs to do the same and terminate accounts. | | Ah, yes, but _which_ ISPs? Currently the ISPs certified by your choice among your personal blacklists, the SBL, CBL, XBL, SPEWS, MAPS, ORDB, etc. | ... | The second part (terminating) is not true, IMHO. There's a real | danger of getting sued for that, not to mention the loss of revenue. The second part of that is relevant. An ISP that refuese to terminate a spammer for fear of lost revenue does not have any IP addresses that many of us want conencted to our SMTP servers, The first part is nonsense spread by spammers and dishonest, spam-friendly ISP spokeslime. ISPs have no problems terminating customers with less than minimal evidence. Within the last 10 days, I watched a business customer, not merely a home end-luser, get cut off by a major ISP with telco connections for some time because it failed to respond to a report of mine. Of course an ISP must be careful to avoid breaking contracts and so forth, but that does not prevent termination. Why else is the spam advertising "bulletproof hosting" common? Vernon Schryver [EMAIL PROTECTED]
