Re: [Asrg] About that e-postage draft [POSTAGE]

[John Leslie <john at jlc.net>]

Rich Kulawiec <rsk at gsp.org> wrote:
> On Fri, Feb 13, 2009 at 09:21:21AM -0500, John Leslie wrote:
> 
>> Remember, presentation of a bad token is a much clearer indication
>> of evil intent: a few dozen should suffice for blocklisting. It's
>> quite practical to blocklist 100 million IPs, at which point the
>> problem will start to disappear. Computers blocklisted this way will
>> pretty much be forced into going through a relay MTA with which they
>> have a contractual relationship -- which removes the problem from
>> the "botted-MTA" territory.
> 
> Blacklisting those 100 million IPs -- which most sensible folks did
> years ago, either by subdomain, regexp, IP, DNSBL or some mechanism --
> has not forced them to go through relay MTAs.

   Nonetheless, we receive a significant amount of spam through some
ISP's mailservers...

   I think you're glossing over the difference between something
merely "unsolicited" vs. something _fraudulent_.

> The only thing that will force them to through relay MTAs are
> router/firewall rulesets on the networks within which they reside.

   Granted, reaching no recipients doesn't technically "force" them
to do anything -- that's why I said "pretty much be forced".

> However, suppose -- against all experience -- that actually happens.
> (And that'd be a good thing, so I'm not arguing against; it's just
> that if it were going to happen, I think it would have happened within
> a few months of the rise of the zombies.)

   Blacklists are pretty blunt weapons. We field many complaints when
a blacklist blocks email the sender considers legitimate. The balance
between a "small inconvenience" and a total failure to pass "essential"
information keeps todays blacklists on the timid side.

   If OTOH, we can point to a plainly _fraudulent_ act, the balance
becomes easier. And if we can point to a currency value, perhaps
including "treble damages", to resolve the problem, reasonable folks
would have to agree that trusting "postage" from someone who already
defrauded you is too much to ask.

> In that case, every relay MTA you see will present "a few dozen"
> bogus tokens very shortly thereafter, because some/most/all of those
> 100 million IPs will now be sending through them.

   The relay MTAs are responsible for their own postage tokens. There
is no reason for them to "trust" tokens from their users.

> Do you plan to blacklist all those relay MTAs?

   If they ship fraudulent tokens, yes.

> If so, then you could just do that now and skip the exercise.

   No I can't, because there is nothing fraudulent about what they've
done.

> If not, then you're going to have to still do it the hard way.

   Understand, we'll have to accept email without postage from some
ISPs and enterprises that don't implement the POSTAGE extension.
That's not a fault of the POSTAGE extension. Only if they imlement
it and send fraudulent tokens can we take a strong blacklisting
position.

--
John Leslie <john at jlc.net>