Charles: Thanks, I clearly need to lay out implementation sequence. 1) People who are sufficiently entertained by the subject create MTX records for our servers, and collect blacklists of domains which create MTX records for spamming IPs.
2) New SA capability is implemented: A) Blacklisting by the domain of the PTR record of the sending IP (MTX_BL). B) Verifying IPs against MTX records (MTX_PASS / MTX_FAIL). 3) Conservative people use these new tests to reduce false positives: score MTX_BL 1 score MTX_PASS -1 # Only hit if MTX_BL wasn't. score MTX_FAIL 0.001 People with less need to be conservative, perhaps with SA configured to report false positives to non-forged senders, use more aggressive scores: score MTX_BL 2 score MTX_PASS -2 score MTX_FAIL 1 4) In order to reduce false positives, more people create MTX records. 5) Due to 4, MTX_FAIL scores can safely be increased slightly without increasing false positives. 6) Go to 4. One day, due to steps 4-6, enough people have created MTX records that all email without one can reasonably be rejected by the MTA. Are you willing to, right now, create a <IP (reversed)>.mtx.<hostname> DNS record for all your transmitting mail servers? If not, why not? Any thoughts on the format of that record yet? On 02/09, Charles Gregory wrote: > LOL.... Good luck with that. The first time that an important e-mail > correspondent (money!) is blocked by such a 'default' setting, the > sysadmins will be rushing to cripple this default action. You will never > succeed in introducing ANY spam filtering system that blocks mail based > upon an 'undecided' or 'neutral' status. This is a good point. This is also why I suggested starting out with a low score, for most people. Of course I'll use something around 4 to 4.5. >> I disagree. I can implement it now (in fact I expect to... > > For your own use, sure. But that's just like SPF. A bunch of people will > use it, and a bunch, including ones that you still *really* want to > communicate with, will NOT. Have you figured out how you are going to > sell 'hotmail' and 'gmail' on your idea? Or are you just going to block > all mail from them? Your choice. But if you have multiple users, well, > you had better choose conservatively..... (grin) Did my implementation sequence above sufficiently cover this? Even with a MTX_FAIL score of 4.5, it still won't block the vast majority of email I get from gmail. And I certainly wouldn't switch to blocking all email without an MTX record without gmail adopting them. And I do think there is a decent possibility of gmail eventually adopting MTX records due to the sequence I described. > And every hotmail user will be writing to the you complaining they have > no way to talk hotmail into adopting your system, and begging you The vast majority of legit mail will still get through even with my high MTX_FAIL score. And if the complaints get annoying, I'll lower it. And really, everybody that's currently getting a score of 0.5+ score from SA, I'm happy to never hear from again. And even if nobody gives MTX_FAIL a positive score, I still expect MTX records to be adopted to reduce false positives, making it reasonable to gradually use slightly higher MTX_FAIL scores. >> I think you missed something important. Creating the records I suggest >> can create no false positives. That point is critical to this idea. > > The FP's would occur on the systems *looking* for those records, and > scoring positively in SA for simply not finding them. Your argument, and > all of mine here, are not about the simplistic task of creating a DNS > record, but about the battle to have the scoring/testing protocol > implemented to make those records 'useful'. No, actually, I was arguing for the simplicity of creating the DNS records. I realize it'll be a while before major email providers start giving MTX_FAIL significant positive values. The records are immediately useful for whitelisting to reduce false positives. -- "We will be dead soon. Is this how we want to live?" http://www.ChaosReigns.com
