RE: [Asrg] 2. Improving Blacklists and Reputation Services

["denny" <denny at figuerres.com>]

> -----Original Message-----
> From: asrg-admin@ietf.org [mailto:asrg-admin@ietf.org] On Behalf Of Daniel
> Feenberg
> Sent: Thursday, February 12, 2004 7:50 AM
> To: Jose Marcio Martins da Cruz
> Cc: Eugene Crosser; Yakov Shafranovich; ASRG
> Subject: Re: [Asrg] 2. Improving Blacklists and Reputation Services
> 
> 
> 
> On Thu, 12 Feb 2004, Jose Marcio Martins da Cruz wrote:
> 
> > Eugene Crosser wrote:
> > > On Wed, 2004-02-11 at 20:02, Jose Marcio Martins da Cruz wrote:
> > >
> > >
> > >>This may indicate that many spam is sent by a distributed system of
> > >>workers, and not by open relays.
> > >>
> > >>If this is the case, and if this kind of way continues - the tendance
> > >>will be to have more and more IP addresses to be inserted on
> blacklists.
> > >
> ...
> 
> >
> > But if we agree that great majority of spam comes from zombies, why
> > should we continue to use blacklists.
> >
> > We use blacklists and we have one DNS server serving rbl requests.
> > named process in this machines eats almost 900 MBytes of memory. Sure,
> > memory is cheap, disk is cheap, bandwidth is cheap - but ther's a
> > limit if blacklists are less efficient than other methods.
> >
> > Or maybe I'm wrong.
> >
> 
> 
> Can you explicate further? I would have thought that zombies were
> an ideal target for an RBL. They produce only spam, so there is no
> problem of blocking legitimate mail and their owners do not complain
> about the listing.
[denny] 
AFAIK blacklists work on blocking "subnets" worth of IP's so one zombie can
windup blocking an entire domain, of if say you are in a web-hosting farm
possibly a group of domains. I think this has been done for two reasons:
1)  much simpler and economic to maintain such a list.
2)  more incentive for a "legit" ISP / WebHost provider to "clean house".
> 
> Of course if the IP address dynamically assigned, there is the remote
> possibility that the next user will have legitimate mail, but this writer
> at least believes they should forward that to an MTA with a static
> address. It would be helpfull in defusing some of this controversy
[denny] 
I think you are mostly right, about the sending mta I think in the end that
the entity that has the address block and ASN number related to it has to be
in a position of some responsibility for what traffic they allow across
their network. While this topic can get very nasty and ugly (eg p2p
fileshare) in the area of email I personally feel it's very clear that
allowing random IP's to act as servers of email services is a problem.
How to fix it is coming into focus as we all work on the problem.

As for "Of course if the IP address dynamically assigned, there is the
remote possibility that the next user will have legitimate mail"

Well that's a very dynamic problem, rather like computing odds on a winning
lotto # which will vary over time based on ticket purchases and other
factors. :-)

> if sendmail had a "dynamic IP" option which caused it to use the smarthost
> if and only if the direct route was blocked. It is quite possible that
> many of these users wouldn't notice the difference, and only care because
> it bit them unexpectedly.
> 
> As to memory usage of BIND, by the time every possible IP address needs to
> be in the RBL, memory will be cheap enough to make this possible.
> 
> 
> 
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg