[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Quarantines and block lists

Subject: Re: [Asrg] Quarantines and block lists
From: Chris Lewis <clewis at nortel.com>
Date: Mon, 29 Jan 2007 18:00:26 -0500
Cc: asrg at ietf.org
In-reply-to: <web-61197849@bk2.webmaillogin.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <E1HBOZQ-0008OJ-QQ@megatron.ietf.org> <web-61197849@bk2.webmaillogin.com>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

gep2 at terabites.com wrote:
> [comment #1]
> 
>> Subject: Re: [Asrg] Quarantines and block lists
> 
>> Lost Email is any email that is sent but not presented to the user 
>> and does not generate a DSN to the sender. 
> 
> The problem is, in the case of spam as in the case of viruses or worms,
> determining WHO the TRUE sender actually is.  It is safe to presume that
> it often is NOT the person listed in the From: header.
> 
> Therefore, I think we should note under "good practices" that it is NOT
> "good practice" to return ANY indication (after the original SMTP-time,
> and thus it's pretty much limited anyhow to just going back 'one' level)
> regarding mail blocked either as spam, or mail blocked because it
> contains worms or viruses.  In both cases, I believe we MUST presume
> that the true sender will not be accurately determinable.  To send ANY
> kind of a bounce message back is likely to create more harm than good,
> probably just haranguing another innocent third party.

If you're doing your spam filtering at the front end, and ALWAYS do
filter hits as inline rejections, then this isn't an issue.

[Yes, there is a small amount of spam going thru "real" MTAs that
produce blowback in such a case.  But this is so rare these days to not
be a concern.  We're averaging less than a complaint a year about
misdirected NDRs (at 1.6M rejected per day).

But obviously, you can't do that in the UA.

Therefore, with UA-level filtering, you _cannot_ provide valid feedback
to legitimate senders unless you tolerate unacceptable levels of
collateral damage.

As sender feedback is critical as a counter-FP measure in most
environments, you're completely screwed if you insist on UA-level
filtering.  Sender feedback is fundamentally incompatible with UA-level
filtering.

> The point is that NON-spamtrap addresses get mail through Yahoogroups,
> and where you can't tell much or anything about where the E-mail
> actually originated.  So do you block Yahoogroups servers by IP address?

No, why would you have to?  But you can, if you wish, use
X-Originating-IP (or analogous headers).

> And if you don't do anything about Yahoogroups-forwarded spam, then
> you're leaving a gaping hole through which a large quantity of spam can
> be sent.

Using DNSBLs doesn't require you to "don't do anything about
Yahoogroups-forwarded" spam.

> Again, IP-based detection blocking is nowhere close to viable for such
> cases.

So what?

> I know that a lot of folks here seem to have a strong emotional
> commitment to the basic concept of IP-based blocking, but as unpleasant
> as it is to accept, that is simply NOT a very good approach.

It's an excellent approach when used correctly.  Using it _alone_ and
expecting it to work acceptably on _all_ circumstances is not using it
correctly.

As is any other filtering technique.

I have a strong commitment to _effective_ and reliable filtering.
DNSBLs provide part of that answer.  Other methods provide plug the
holes, complement DNSBLS, and deal with things that the DNSBLs can't (or
haven't yet) caught.

10 years ago we started with content filters only, and could only do
extremely limited amounts of IP-based blocking.  As of 2001, that had
simply become totally inadequate.  These days it's about 90% DNSBL, and
10% content.

> That's one reason why it's SO critical to put the kibosh on viruses and
> worms that recruit the spambot armies... that makes it harder to proxy
> the spam transmissions and diversify the origin points.  Slamming the
> door on HTML and attachments from unknown senders puts a MAJOR brake on
> that, literally overnight, and in a way that is very difficult to
> circumvent in any widespread way.

a) it really doesn't put the brakes on.  Think bare text with the
appropriate human engineering and links.

b) slamming the doors on html and attachments from even unknown senders
has a vastly higher FP rate than anything else with "normal" ISP flows.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRb58ip3FmCyJjHfhAQKQagQAqFX3ltddAapiJSqGzUzWB7E2I+MUEAfa
vyANp7DeYr03B4Riff6SacbUJlOcPts2KtMcVdqXrkVFuMR1IjvE7ZLHZAauhJki
FhSlg5BHYHme1fr57KOQDVTw6L4dcGz9R1+PFNc3tKDPz2bnHxLzCClxUhaDrQFp
aZKWp9TmcAU=
=2q0x
-----END PGP SIGNATURE-----

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] Quarantines and block lists
  - From: gep2

Prev by Date: Re: [Asrg] How about we do something about spam?
Next by Date: Re: [Asrg] How about we do something about spam?
Previous by thread: Re: [Asrg] Quarantines and block lists
Index(es):
- Date
- Thread