Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
Because there is no data protection on many databases (such as .com registrars who are forced to sell the data if requested), people lie when registering, because it is the only tool they have to protect their privacy. Yup. Our ICANN contracts both require us to sell bulk registrant data, and require us to maintain :42 and :80 (FORM+POST) whois servers, both unconditionally, to satisfy the trademarks interest group. The perfect open whois to fight spam claim exchanges 40,000,000 valid (or not dysfunctional in this particular context) for two or more orders of magintude smaller invalid and dysfunctional (in this partuclar context) addresses. Because registrar-registrar predation via whois data mining is a reality, registrars rate limit or otherwise attempt an ACL on both :43 and :80 whois service, and data format variation is a form of defense. It prevents the marginals who can't write a simple parser from theft via slamming the registrants. And since no one who wants whois data who isn't stealing registrants is paying us, grand unifying schemes aren't a registrar insterest. Again, look to the marks people, now accompanied by the new total information law enforcement people for the primary actors. As I've previously pointed out, neither of those two interest groups is fundamentally interested in SMTP. Fix the data protection problem and you'll have a better case to force people to register proper information. Bingo!
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
The current pretense of privacy is nothing more than a convenient mechanism for registrars to pad their wallets and evade responsible for facilitating abuse. As an aside, I used a (wicked big) competitor's privacy service to regsiter a domain for a political worker who wanted to whistleblow but not be identified. My customer could now use a web log service such as Duncan Black did under the name of atrios, and obtain casual (but not subpoena-proof) data protection (non-publication of customer profile data). Broadly I agree that privacy as a product under contract law is not a better solution than data protection as a right under human rights. However, data protection isn't as available to all potential registrants.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Wed, Jan 12, 2005 at 10:59:43AM -0500, Steven Champeon [EMAIL PROTECTED] wrote a message of 98 lines which said: 0) for the love of God, Montresor, just block port 25 outbound already. If there is no escape / exemption (as proposed by William Leibzon), then, as a consumer, I scream OVER MY DEAD BODY!!!. I want to be able to manage an email server when I subscribe to an ISP. In any case, it would no longer be Internet access. See the Internet-Draft draft-klensin-ip-service-terms-04.txt, Terminology for Describing Internet Connectivity.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Wed, Jan 12, 2005 at 10:59:43AM -0500, Steven Champeon [EMAIL PROTECTED] wrote a message of 98 lines which said: 1) any legitimate mail source MUST have valid, functioning, non-generic rDNS indicating that it is a mail server or source. (Most do, many do not. There is NO reason why not.) Since this list is NANOG, it is reasonable that it has a North American bias but remember the Internet is worldwide. I do not know how it is in the USA but there are many parts of the world where ISP do not have a delegation of in-addr.arpa and therefore cannot pass it to their customers. (It is also common to have many levels of ISP, so you need to go through many layers before reaching the RIR.) Requesting rDNS means I don't want to receive email from Africa.
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Wed, Jan 12, 2005 at 10:59:43AM -0500, Steven Champeon [EMAIL PROTECTED] wrote a message of 98 lines which said: 4) all domains with invalid whois data MUST be deactivated (not confiscated, just temporarily removed from the root dbs) immediately and their owners contacted. Because there is no data protection on many databases (such as .com registrars who are forced to sell the data if requested), people lie when registering, because it is the only tool they have to protect their privacy. Fix the data protection problem and you'll have a better case to force people to register proper information. 5) whois data MUST be normalized and available in machine-readable form (such as a standard XML schema) RFC 3981
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Thu, Jan 13, 2005 at 12:26:47PM +0100, Stephane Bortzmeyer wrote: 4) all domains with invalid whois data MUST be deactivated (not confiscated, just temporarily removed from the root dbs) immediately and their owners contacted. Because there is no data protection on many databases (such as .com registrars who are forced to sell the data if requested), people lie when registering, because it is the only tool they have to protect their privacy. Those people are fooling themselves. Much of the domain registration data is already being offered for sale (by spammers, of course) and no doubt, when it suits their purposes to do so, the same people will find a way to acquire the supposedly private data behind the rest. (How are they getting the data? I don't know. Could be weak registrar security, could be a backroom deal, could be a rogue employee. But there is demand for the data, and plenty of money to pay for it, therefore it *will* be acquired and sold.) The current pretense of privacy is nothing more than a convenient mechanism for registrars to pad their wallets and evade responsible for facilitating abuse. ---Rsk
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Thu, 13 Jan 2005 12:21:04 +0100, Stephane Bortzmeyer said: American bias but remember the Internet is worldwide. I do not know how it is in the USA but there are many parts of the world where ISP do not have a delegation of in-addr.arpa and therefore cannot pass it to their customers. (It is also common to have many levels of ISP, so you need to go through many layers before reaching the RIR.) That is indeed a problem that needs to be solved if you want any sort of rDNS-based service to work well. Requesting rDNS means I don't want to receive email from Africa. Having an rDNS entry for a host doesn't mean you know if it is/isn't in Africa, to any higher degree of certainty than when you just had the IP address. I'm not on our campus. But I can see it from out my office window. (The official campus starts across the street from me). I'm about 4 hours drive southwest of Washington DC. professory.cesa.vt.edu is 195.176.186.74, and has a proper PTR entry back. It's a host of ours. It's in Switzerland at our Center for European Studies and Architecture. So what did that rDNS entry tell you about its location that you didn't know from 195.176/16? pgp4lmIbolmK5.pgp Description: PGP signature
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
on Thu, Jan 13, 2005 at 12:21:04PM +0100, Stephane Bortzmeyer wrote: On Wed, Jan 12, 2005 at 10:59:43AM -0500, Steven Champeon [EMAIL PROTECTED] wrote a message of 98 lines which said: 1) any legitimate mail source MUST have valid, functioning, non-generic rDNS indicating that it is a mail server or source. (Most do, many do not. There is NO reason why not.) Since this list is NANOG, it is reasonable that it has a North American bias but remember the Internet is worldwide. I do not know how it is in the USA but there are many parts of the world where ISP do not have a delegation of in-addr.arpa and therefore cannot pass it to their customers. (It is also common to have many levels of ISP, so you need to go through many layers before reaching the RIR.) Seems this needs to be fixed, then. Not my problem. Requesting rDNS means I don't want to receive email from Africa. See above. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.htmljoin us!
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
Requesting rDNS means I don't want to receive email from Africa. Having an rDNS entry for a host doesn't mean you know if it is/isn't in Africa, to any higher degree of certainty than when you just had the IP address. What he was pointing out her is that a majority of African ISPs do not even have the ability to assign rDNS to their address space. This is an unfortunate fact which should get somewhat better as a result of ARIN policies 2002-3 and 2003-15. I don't know to what extent those policies have helped yet, but, at least it is much easier for African ISPs to get direct allocations now. In essence, it is virtually impossible for a small-medium business in Africa to set up a mail server and have rDNS entries created for it because their ISP doesn't control the IN-ADDRs and the imcumbent Telco doesn't want to do anything they don't absolutely have to for the competitive ISPs. Owen -- If it wasn't crypto-signed, it probably didn't come from me. pgpObGpMqS1A4.pgp Description: PGP signature
Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of anonym
On Thu, 13 Jan 2005 11:35:23 PST, Owen DeLong said: Requesting rDNS means I don't want to receive email from Africa. Having an rDNS entry for a host doesn't mean you know if it is/isn't in Africa, to any higher degree of certainty than when you just had the IP address. What he was pointing out her is that a majority of African ISPs do not even have the ability to assign rDNS to their address space. Ahh.. I've had so many people of late say words to the effect of I want rDNS so I can implement blocking geographical that I didn't realize what he meant was Implementing it means an Africa-shaped projectile wound in your foot.. ;) pgpsiKd1CySxQ.pgp Description: PGP signature