IETF Logo Mail Archive

Re: [Asrg] RFC 6471 and "listing the Internet" as a punishment

Steve Atkins <steve@blighty.com> Tue, 24 January 2012 19:14 UTC

Return-Path: <steve@blighty.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 695E711E8095 for <asrg@ietfa.amsl.com>; Tue, 24 Jan 2012 11:14:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.11
X-Spam-Level:
X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_05=-1.11]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DnG1fn2w4l3l for <asrg@ietfa.amsl.com>; Tue, 24 Jan 2012 11:14:45 -0800 (PST)
Received: from m.wordtothewise.com (misc.wordtothewise.com [184.105.179.154]) by ietfa.amsl.com (Postfix) with ESMTP id 8D40611E8087 for <asrg@irtf.org>; Tue, 24 Jan 2012 11:14:45 -0800 (PST)
Received: from platter.wordtothewise.com (204.11.227.194.static.etheric.net [204.11.227.194]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: steve) by m.wordtothewise.com (Postfix) with ESMTPSA id 526102DECF for <asrg@irtf.org>; Tue, 24 Jan 2012 11:14:42 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: Steve Atkins <steve@blighty.com>
In-Reply-To: <4F1EFFA1.1050505@gmail.com>
Date: Tue, 24 Jan 2012 11:14:41 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <44A1729E-13D7-4069-B464-403CCACF17F0@blighty.com>
References: <alpine.BSF.2.00.1201241349500.96225@joyce.lan> <4F1EFFA1.1050505@gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [Asrg] RFC 6471 and "listing the Internet" as a punishment
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 19:14:46 -0000

On Jan 24, 2012, at 10:59 AM, David Romerstein wrote:

> On 1/24/12 1:50 PM, John R. Levine wrote:
>>> Listing the world for folks overloading your system is unlikely to have
>>> the effect that you want, and is most likely going to impact folks who
>>> have no say in the configuration of the receiving mail server.
>> 
>> You may be right, but I have to have some sympathy for BL operators who
>> are getting bombed by clueless misconfigurations.
> 
> I do not, in any way, disagree with this.
> 
> I'm just wondering if there's a middle ground that can stop BL operators from being abused by (willfully or unwillfully) clueless folks without severely impacting innocent users. Something more than "just sit back and take all those stupid queries" and less than "return a response code that could indicate a listing for every one of those stupid queries".

The innocent users are the people who are abusing the blacklist and those who send email to them. And most of them are using blacklist data for scoring, not for blocking. Listing the world doesn't usually affect them much at all.

There really isn't much of a middle ground. If you have non-broken software querying the blacklist then there aren't any problems - it'll shut down gracefully when the blacklist goes away. But if the software querying the blacklist doesn't do that (and almost everything deployed is broken in that way) then you really only have three options as a blacklist operator:

1. List nothing
2. List everything
3. List things at random

(1) leads to no change, you get to keep fielding bogus DNS requests until the end of time.
(2) causes immediate change at abusers who are using the blacklist to block email, and maximises the chance of someone using the data as part of a scoring based system noticing
(3) is worse than either, as it will potentially cause some mail to be lost but is much less likely to cause people to stop using the list

This isn't a trivial problem, nor a trivial amount of traffic. In the past, I've had service overages of >$2000/mo due to massive DNSBL traffic to cbl.abuseat.com (which isn't a DNSBL, so returns "not listed" for every query).

I'm currently eating quite amazing amounts of misconfigured CBL lookup traffic (hundreds of different ways to misspell cbl.abuseat.org) - and configuring my zones to list everything still doesn't stop the traffic. I've played with long TTL delegations to non-routable addresses and suchlike, and it doesn't have much effect either. At some point I'll probably start running a "stunt" server rather than powerdns for that zone, and be more creative with how I handle the abusive queries.

Cheers,
  Steve

v2.8.7 | Report a Bug | By Email