Re: [Asrg] What are the IPs that sends mail for a domain?

Alessandro Vesely <vesely@tana.it> Mon, 22 June 2009 13:55 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 020FB3A6862 for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 06:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.59
X-Spam-Level:
X-Spam-Status: No, score=-0.59 tagged_above=-999 required=5 tests=[AWL=0.129, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g+b15VtcXUuV for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 06:55:54 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id C64213A6882 for <asrg@irtf.org>; Mon, 22 Jun 2009 06:55:53 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Mon, 22 Jun 2009 15:56:05 +0200 id 00000000005DC02F.000000004A3F8D75.00003BDA
Message-ID: <4A3F8D74.700@tana.it>
Date: Mon, 22 Jun 2009 15:56:04 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <mailman.5.1245610801.29559.asrg@irtf.org> <4A3F76B8.2030409@terabites.com>
In-Reply-To: <4A3F76B8.2030409@terabites.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2009 13:55:55 -0000

Gordon Peterson wrote:
> I believe that ultimately, the best way to deal with spam (okay, we're 
> talking principle here, not necessarily given existing, insufficiently 
> clever mail clients) is to simply deliver the spam to the recipient's 
> system, and let their system decide which mail is wanted, and which is 
> not, and to either simply delete or archive somewhere the mail which the 
> recipient user's rules determine is not wanted.  I do not consider a 
> bounceback message to be necessary or even desirable if a message is 
> found to be spam/virus/phishing ... in part because you cannot reliably 
> determine who the original, legitimate sender is (even if there IS one) 
> to send the bounceback message to.

Except that you cannot reliably determine whether a message is spam. 
Machines do not understand human language. They make spam/ham 
decisions based on indeterministic criteria. Why do we run journaled 
file system on RAID drives when we would want to kill random files for 
the sake of spam abatement?

> [...] I (a) still want to use my own 
> From: address for reply or posting permission purposes, even though (b) 
> I might not have ANY say at all regarding what outgoing mail server(s) 
> are used [...]
> 
> The fact that it's easier, or cheaper, or otherwise "more efficient" to 
> do antispam blocking using some halfassed, braindead scheme which 
> doesn't work reliably or well for (even some admittedly small) 
> legitimate mail transmissions doesn't make that the right solution.

The difference between content filtering and however braindead 
authentication schemes is that the latter ones are deterministic, 
rather than easier, or cheaper, or otherwise "more efficient". 
Deterministic results mean that messages sent correctly are delivered 
independently of their content, uniformly.

IMHO, the correct way to go is to have a (weak) authentication scheme 
that works well enough for most relevant cases, and at the same time 
keep the existing system as a compatibility option for the cases where 
it doesn't work.

If you want to use prehistoric appliances deploying obsolete mail 
transmission methods that have historically proven to be vulnerable to 
spammers, you have to accept that your mail will be handled via 
compatibility options, including unreliable spam filtering. If you 
expect your From: address to be treated specially, be aware that any 
spammer can use it just like you do (and wait until spammers decide to 
relate recipients to the From: addresses that they whitelist.) 
Anything that is capable to deterministically recognize that you are 
really you, is an authentication scheme.

> Another situation is where an accounting system at one of my consulting 
> clients generates and sends electronic invoices, EFT notices, price 
> updates, etc to their customers.  For these cases, it is VERY helpful 
> for their own inhouse outgoing LAN mail server (which maybe doesn't try 
> to handle incoming mail at all) is going to try to send outgoing 
> mails... if for no other reason than to have a local, inhouse log that 
> evidences the delivery of the e-mail not just to a relay somewhere, but 
> actually to (usually) the mail server associated with the destination 
> indicated for the e-mail message.

How come you consider that log line reliable, given that it doesn't 
tell you whether the corresponding message has been "simply deleted or 
archive somewhere"?

> Yet another case is where a traveling salesperson connects via a 
> prospect's WiFi connection during a sales call visit on-site to his 
> customer, and where that host's corporate network policy blocks sending 
> of port 25 messages other than to/through that company's own outgoing 
> SMTP server.

Try port 587.

> I still believe that a far better and more worthwhile direction for spam 
> blocking involves a combination of tools, probably much of it performed 
> at the receiving end, involving a finely grained discrimination tailored 
> to familiar versus unfamiliar (to the recipient) e-mail senders.  This 
> is not unlike the way locks work... they generally provide a series of 
> grooves, chamfers and cuts (to the key BLANK!) which prevent the vast 
> majority of presented keys from even being inserted INTO the lock, 
> before the pins of the lock do the final determination based on how the 
> individual key has been cut.

Except that you want external unknown people to be able to contact you 
by email (otherwise you could just use an unofficial port different 
than 25 and relay mail privately within your closed group.) It would 
be also appreciable if newcomers could open brand new ESP shops and 
run their SMTP servers without having to spend years learning the 
intricacies of finely grained discrimination tools.

As those tools evolve, desperately seeking new ways to find needles in 
the growing haystack of spam, users experience more and more 
malfunctions. If you dig into the actual rules and data that your 
filters base their decisions upon, you may get surprised.