Re: [Asrg] What are the IPs that sends mail for a domain?

Franck Martin <franck@avonsys.com> Sat, 20 June 2009 21:32 UTC

Return-Path: <franck@avonsys.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 752A73A6AB4 for <asrg@core3.amsl.com>; Sat, 20 Jun 2009 14:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmXOmwDi1yWu for <asrg@core3.amsl.com>; Sat, 20 Jun 2009 14:32:51 -0700 (PDT)
Received: from seine.avonsys.com (seine.avonsys.com [202.170.42.206]) by core3.amsl.com (Postfix) with ESMTP id F23963A6B44 for <asrg@irtf.org>; Sat, 20 Jun 2009 14:32:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by seine.avonsys.com (Postfix) with ESMTP id 5626064F8598 for <asrg@irtf.org>; Sun, 21 Jun 2009 09:33:33 +1200 (FJT)
X-Virus-Scanned: amavisd-new at avonsys.com
Received: from seine.avonsys.com ([127.0.0.1]) by localhost (seine.avonsys.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYwELDjLtmB4 for <asrg@irtf.org>; Sun, 21 Jun 2009 09:33:27 +1200 (FJT)
Received: from seine.avonsys.com (localhost [127.0.0.1]) by seine.avonsys.com (Postfix) with ESMTP id 29B0364F8597 for <asrg@irtf.org>; Sun, 21 Jun 2009 09:33:27 +1200 (FJT)
Date: Sun, 21 Jun 2009 09:33:27 +1200
From: Franck Martin <franck@avonsys.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <15942168.11245533549248.JavaMail.franck@somehost-4.sv2.equinix.net>
In-Reply-To: <4A3D366E.2020304@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [64.191.195.4]
X-Mailer: Zimbra 5.0.11_GA_2695.UBUNTU6 (Yahoo! Zimbra Desktop/1.0_1593_Mac)
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jun 2009 21:32:52 -0000

----- "Alessandro Vesely" <vesely@tana.it> wrote:

> Douglas Otis wrote:
> > SMTP is heavily abused, and soon IPv6 is about to become a
> necessity.   
> > To remain practical, connectivity must be based upon _immediate_ and
> 
> > _stable_ evidence of legitimate email operation, and not upon any
> number 
> > of authorization transactions.  Each additional transaction to
> support 
> > an authorization scheme will be multiplied by the typical number of
> 
> > attempts made by abusive senders.   This means providers need to
> exclude 
> > problematic users, and not become a task pushed toward recipients. 
> Such 
> > pushing is not practical and often leads to unfortunate mistakes.
> 
> What do you mean by "problematic users"? Providers of residential 
> cables, WiMAX, and similar connections could block or redirect port 
> 25, just like most universities and companies do. They used to do it,
> 
> as long as they provided mailboxes as a bonus and ISP and ESP were 
> synonyms. Submission port 587 is not yet universally employed, and 
> some customer may not accept to be unable to reach their favorite 
> server's ports 25 or 465. "Blocking port 25 except for a set of 
> servers used for submission" is not something that can be easily 
> defined and maintained by ISPs, IMHO.
> 

yes I'm not sure that blocking port 25 will ever be possible. I think less and less people want their mailbox tied up to an ISP, this is why they get a mailbox on yahoo, google, etc... So these services requires you usualy to connect via port 25 and authenticate, but that means for the ISP to let port 25 open. Blocking port 25 and letting port smtps/465 open to allow users to still submit email is better, but just a temporaray measures until botnet use smtps to submit.

The only think I see in this system, is to identify IPs of mail servers via an out of band process. Like a record in the DNS. To avoid DDNS (the ability of the compromised machine to push a record in the DNS), it should be in the Reverse DNS or in a subdomain.

Now a receiving MTA would be able to use this filter, either the sending MTA authenticate (MUA) or the sending MTA is recorded as a MTA in the DNS. Now this cannot be enabled overnight, but a spamassassin filter could give a negative score if the sending MTA is DNS recorded.