It's about risk versus reward.
Never mind email. Let's say I'm an employer. They might all be perfectly
fine people in Walmart land, but why do people on the network I control
need to visit their web site? Is there any reason? Do we do business with
them? I might not go to any great lengths to block them, but I might not
miss them when they're gone. Maybe that seems a little silly. How about
blocking certain web sites because they show ads from pwned ad networks?
What if I block foreign media outlets, for this reason, because they're
proven popular in watering hole attacks? You might say it's a lost cause,
because smartphones, BYOD, whatever. I can block them from my network,
whatever. But I'll raise you one: there are sites selling aggregate (if
you're lucky) foot traffic info, and people are buying it to figure out
how many people are at work at a particular location at a particular time;
as an employer I have the right to ban carrying smartphones in the
workplace, and this seems like a pretty reasonable reason if I need one.
The relationship between email and domains is tenuous... or is it? Plenty
of domains out there send email through gmail or outlook. Plenty of
domains don't. The hosting you choose is your political voice. Let's say
you decide to set up your domain, and email, through a privacy protected
registrar, on privacy protected nameservers. Never mind whether I think
people should have the right to anonymously spew email on the internet or
not. Hrmmm... seems like a good idea to spammers too, apparently. In fact,
there are spammers using the same nameservers. I think I'll block all mail
from domains using those nameservers, because I can see because I keep
records of such things, that I've never received legitimate mail from a
domain using those nameservers. What about your domain? Really, I don't
care. I'm not getting mail from anyone using those servers Q.E.D. Seems
like a good choice to me. You made a bad choice, predicated on a right and
freedom to send email which doesn't exist in the real world. By accident
or design, you set up shop in a bad neighborhood. (Your registrar made
what I would consider a bad choice as well, although they likely
disagree.)
People disagree on the definition of "newly observed (or registered or
changed)", but one thing is clear: blocking email, or for that matter all
resolution of new domains, is low risk... even if the benefits might vary
with the situation or are inarticulable beforehand. I am well aware that
along with the spammers, marketers are upset about this: they paid their
money and registered a domain just for this marketing campaign, who are
network administrators to get between them and their audience? Again,
predicated on presumed rights and freedoms which are found not to be so
absolute when tested in the real world. Long before NOD as a Thing, mail
system administrators were mitigating spam by returning "spool full, try
later" when the first mail from a domain shows up, and adding it to a
whitelist so that when the sender retries in an hour or several the mail
gets delivered. So, there's no historical precedent either. The perception
of a right is simply in error.
1) It's all about the risk of mitigating certain annoyances or threats
versus the risk of the loss of business and administrative overhead of
dealing with false positives.
2) People are gonna do it and they're going to do it in the way that's
easiest and least costly to them.
By the way, mail from mailing lists comes from the mailing list;
furthermore, this mailing list's archives are online. Send email from
anywhere that the mailing list will accept it, my policies are of no
concern. :-)
I'll hazard that the reputation of particular domains whether they're
TLDs or PseudoTLDs, registrars, or particular constellations of network
infrastructure, is outside the scope of this list. There are lists for the
discussion of such issues, although in my experience the useful ones are
not public.
--
Fred Morris
