Re: [Asrg] What are the IPs that sends mail for a domain?

Douglas Otis <dotis@mail-abuse.org> Fri, 19 June 2009 18:30 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12E423A6ACB for <asrg@core3.amsl.com>; Fri, 19 Jun 2009 11:30:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.39
X-Spam-Level:
X-Spam-Status: No, score=-6.39 tagged_above=-999 required=5 tests=[AWL=0.209, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8xbKY4DlEQJ for <asrg@core3.amsl.com>; Fri, 19 Jun 2009 11:30:02 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id 1CE243A6ACA for <asrg@irtf.org>; Fri, 19 Jun 2009 11:30:02 -0700 (PDT)
Received: from [IPv6:::1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 54CD0A94439 for <asrg@irtf.org>; Fri, 19 Jun 2009 18:30:13 +0000 (UTC)
Message-Id: <B5252B96-F0AB-4D4A-A0DA-8314AA8E038F@mail-abuse.org>
From: Douglas Otis <dotis@mail-abuse.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
In-Reply-To: <200906190149.VAA06902@Sparkle.Rodents-Montreal.ORG>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Fri, 19 Jun 2009 11:30:13 -0700
References: <9112777.1871245190785748.JavaMail.franck@iphone-4.genius.local> <Pine.GSO.4.64.0906161906450.27272@nber6.nber.org> <4D8E56D2-CB37-4713-94E5-0F0C2A1B1F94@blighty.com> <2F26F23C-F1B4-4FD4-BAEB-53168072FF5D@mail-abuse.org> <200906180105.VAA21834@Sparkle.Rodents-Montreal.ORG> <C8F0F10E-E1A4-4D25-AF20-31E3F0DB68DF@mail-abuse.org> <200906182044.QAA05200@Sparkle.Rodents-Montreal.ORG> <FED77586-8800-4BA6-99EA-30A1D9C089B6@mail-abuse.org> <200906190149.VAA06902@Sparkle.Rodents-Montreal.ORG>
X-Mailer: Apple Mail (2.935.3)
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2009 18:30:03 -0000

On Jun 18, 2009, at 6:29 PM, der Mouse wrote:

>>> I worked for McGill [...]
>>
>> This control is "out-of-band" from the abused protocol, and not the  
>> result of all recipients of the protocol resolving possible  
>> identities of each of university users.
>
> Both true.  So?

SMTP is heavily abused, and soon IPv6 is about to become a  
necessity.   To remain practical, connectivity must be based upon  
_immediate_ and _stable_ evidence of legitimate email operation, and  
not upon any number of authorization transactions.  Each additional  
transaction to support an authorization scheme will be multiplied by  
the typical number of attempts made by abusive senders.   This means  
providers need to exclude problematic users, and not become a task  
pushed toward recipients.  Such pushing is not practical and often  
leads to unfortunate mistakes.

> Responsibility, in the sense of accountability for (potential)  
> abuse, is a meatspace thing, not amentable to being part of a  
> network protocol, so at least _some_ of this must be done out-of- 
> band with respect to the protocol.

IMHO, 99% of exclusionary practices must be handled out-of-band for  
SMTP.

>> Schemes that pass accountability onto what might be feckless domain  
>> owners are inherently evil.
>
> I disagree, _provided_ accountability is actually passed on.

The fact that a trusting and naive user had their domain authorize a  
provider just to have their email accepted, does not mean other  
messages emitted might not be mistaken as also belonging to that  
user's domain.  Should providers check for SPF or Sender-ID  
compliance?  How many SLA include this requirement?  When the "passing- 
on" is based upon receptions at spam traps, acceptance reliance based  
on "authorization" is likely to downgrade acceptance of the domain,  
especially when A-R headers exclude the IP address of the provider.   
Will providers really care the wrong entity had been blamed?

> What you appear to be thinking of is not accountability but mere  
> identification (albeit moderately strong identification).

Moderately strong?  Without knowing the IP address of the provider, it  
would be extremely foolish to conclude any level of identification  
assurance, especially "moderately strong".

> [...] email address holders on the top few webmail systems are not  
> held accountable by the webmail provider for how they use their  
> accounts.

Exactly.

> Schemes that pass accountability on would be good.

CSV would be a good starting point.

>> Providers MUST be held _directly_ accountable.
>
> Right.  But until this is fixed at the top, I see little hope it  
> will happen in the lower levels, except sporadically.

Fixing this problem is likely to become an imperative.  SPF is worse  
than wrong.  It does not offer a safe form of identification, as  
wrongly advertised, and puts DNS and SMTP at risk.  Those advocating  
acceptance based on just the DKIM domain clearly expect to combine  
valid signature with SPF authorization passing.  This is not how the  
DKIM/SPF combination has been being advertised to work together.   
Email is almost certain to become even more unreliable and more  
expensive to operate. :^(

> (The places that do do it are exceptional, and, in the cases where  
> I'm in a position to know why they do it, they do it not because  
> they are held accountable by whoever assigned the resources to them  
> but because they are ethical enough to feel a compulsion to do  
> what's right even when they're _not_ overtly held accountable.   
> While this mindset is common enough for us to have words for it, it  
> is not nearly common enough to save the net from the disasters that  
> governmental disconnect between authority and responsibility leads  
> to.)

One might hope they'll do the right thing out of self preservation.    
Backing schemes that advantage their size only makes problems worse.

-Doug