Re: [Asrg] What are the IPs that sends mail for a domain?

der Mouse <mouse@Rodents-Montreal.ORG> Fri, 19 June 2009 01:49 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9FF3C3A67E6 for <>; Thu, 18 Jun 2009 18:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.819
X-Spam-Status: No, score=-9.819 tagged_above=-999 required=5 tests=[AWL=0.170, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3sWpWd7g49ad for <>; Thu, 18 Jun 2009 18:49:51 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG []) by (Postfix) with ESMTP id 6FD2B3A67D7 for <>; Thu, 18 Jun 2009 18:49:51 -0700 (PDT)
Received: (from mouse@localhost) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id VAA06902; Thu, 18 Jun 2009 21:49:43 -0400 (EDT)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <200906190149.VAA06902@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Thu, 18 Jun 2009 21:29:09 -0400 (EDT)
To: Anti-Spam Research Group - IRTF <>
In-Reply-To: <>
References: <9112777.1871245190785748.JavaMail.franck@iphone-4.genius.local> <> <> <> <200906180105.VAA21834@Sparkle.Rodents-Montreal.ORG> <> <200906182044.QAA05200@Sparkle.Rodents-Montreal.ORG> <>
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Jun 2009 01:49:52 -0000

>>>> (Actually, it has been tried in a limited way; there are pieces of
>>>> the net that _do_ push responsibility to the end user.  Oddly
>>>> enough, they are basically nonexistent as far as abuse emitters
>>>> go; what evidence I see indicates that it _does_ work.)
>>> Can you provide some specifics?
>> I worked for McGill [...]
> This control is "out-of-band" from the abused protocol, and not the
> result of all recipients of the protocol resolving possible
> identities of each of university users.

Both true.  So?

Responsibility, in the sense of accountability for (potential) abuse,
is a meatspace thing, not amentable to being part of a network
protocol, so at least _some_ of this must be done out-of-band with
respect to the protocol.

> Schemes that pass accountability onto what might be feckless domain
> owners are inherently evil.

I disagree, _provided_ accountability is actually passed on.  What you
appear to be thinking of is not accountability but mere identification
(albeit moderately strong identification).  That there is no real
accountability is the major fundamental problem I see with today's
Internet: domain holders are not accountable to their registrar or, in
most cases, TLD admins for what they do with their domains; address
space assignees are not accountable to their RIRs for what they do with
their address space (except for the most trivial adminstrative aspects,
such as how thorougly they're using the space assigned, and even that
not very much); email address holders on the top few webmail systems
are not held accountable by the webmail provider for how they use their

Schemes that pass accountability on would be good.  So far, I haven't
seen any; the most I've seen is schemes that provide strong enough
authentication to make it possible to construct systems that pass
accountability on.  Nobody ever seems to take the additional step of
actually doing so.  (Well, except on a trivial scale, such as my
personal blocking of Yahoo, imposing a penalty for - ie, holding them
to account for - the abuses they don't rein in.)

> Providers MUST be held _directly_ accountable.

Right.  But until this is fixed at the top, I see little hope it will
happen in the lower levels, except sporadically.  (The places that do
do it are exceptional, and, in the cases where I'm in a position to
know why they do it, they do it not because they are held accountable
by whoever assigned the resources to them but because they are ethical
enough to feel a compulsion to do what's right even when they're _not_
overtly held accountable.  While this mindset is common enough for us
to have words for it, it is not nearly common enough to save the net
from the disasters that governmental disconnect between authority and
responsibility leads to.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B