Re: [Asrg] What are the IPs that sends mail for a domain?

Douglas Otis <dotis@mail-abuse.org> Wed, 01 July 2009 21:43 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEB813A68FA for <asrg@core3.amsl.com>; Wed, 1 Jul 2009 14:43:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.944
X-Spam-Level:
X-Spam-Status: No, score=-5.944 tagged_above=-999 required=5 tests=[AWL=-0.260, BAYES_00=-2.599, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9FN09hL3i6l for <asrg@core3.amsl.com>; Wed, 1 Jul 2009 14:43:19 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id 1FB193A6B14 for <asrg@irtf.org>; Wed, 1 Jul 2009 14:43:19 -0700 (PDT)
Received: from [IPv6:::1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id A212AA9443A for <asrg@irtf.org>; Wed, 1 Jul 2009 21:43:40 +0000 (UTC)
Message-Id: <CA9E386E-44BA-4E3B-8A91-A99B07393BA0@mail-abuse.org>
From: Douglas Otis <dotis@mail-abuse.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
In-Reply-To: <4A4B709C.2000109@tana.it>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Wed, 1 Jul 2009 14:43:40 -0700
References: <200906180105.VAA21834@Sparkle.Rodents-Montreal.ORG> <C8F0F10E-E1A4-4D25-AF20-31E3F0DB68DF@mail-abuse.org> <200906182044.QAA05200@Sparkle.Rodents-Montreal.ORG> <FED77586-8800-4BA6-99EA-30A1D9C089B6@mail-abuse.org> <200906190149.VAA06902@Sparkle.Rodents-Montreal.ORG> <B5252B96-F0AB-4D4A-A0DA-8314AA8E038F@mail-abuse.org> <4A3D366E.2020304@tana.it> <934f64a20906201606pff54ca3y904da141013f1d2a@mail.gmail.com> <4A490CC5.8020601@billmail.scconsult.com> <4A49C1DD.8020205@tana.it> <20090630200150.GL57980@verdi> <4A4B709C.2000109@tana.it>
X-Mailer: Apple Mail (2.935.3)
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2009 21:43:19 -0000

On Jul 1, 2009, at 7:20 AM, Alessandro Vesely wrote:

> John Leslie wrote:
>> The CSV paradigm is that the operator of a MTA should exercise some  
>> responsibility for what is sends. The HELO string identifies the  
>> MTA (though not necessarily one string exclusively by one MTA), and  
>> the DNS management for that domain-name string states whether that  
>> domain exercises responsibility (and by automatic return of  
>> A)ddress RRs on SRV queries, what IP address(es) that MTA uses).
>
> The link from the MTA to its operator is still missing.

Disagree.  Based on our results, when only a few domains publish an IP  
addresses of an Outbound MTA, it is rather safe to assume the domains  
represented by verified EHLO information resolve who is administrating  
the MTA.  When there are many domains, this appears to represent  
either MTAs operating behind a NAT, or compromised systems; sometimes  
both.  It appears to be rare for legitimate Outbound MTAs to change  
domain affiliations.  From a reputation standpoint, verified EHLO  
information offers stable identifiers in which to effectively and  
efficiently manage email abuse.  This method should scale since it  
establishes management hierarchy.

> To this end, I'd prefer the use of a domain name. One reason is that  
> large ESP have many MTAs that can be used interchangeably. In  
> addition, the person responsible for an MTA is not always  
> identifiable (in Italy, the mandate to state who are the sysadmins  
> of an MTA is being procrastinated every few months, since November  
> 2008.) By contrast, domain registrants often have whois records  
> pointing to them.

While larger ISPs are likely to have a few hundred outbound MTAs, they  
represent a very small percentage of overall legitimate Outbound  
MTAs.  Larger ISPs likely represent less than a few hundred thousand  
Outbound MTAs, over several million other legitimate MTAs.  A  
reputation system might replace the existence of CSV records, however  
initial acceptance and tracking can be improved by the presences of  
CSV records.  Being able to identify legitimate Outbound MTAs reduces  
the vetting of hundreds of millions of domains associated with Mail  
 From or PRAs, where each domain likely covers massive address lists.   
Legitimate Outbound MTA domains will resolve to a small set of  
addresses each.

Efforts to combine the addresses used by a domain is counter  
productive when it comes to resolving problems, or when dealing with  
initial SMTP connections.  When it comes to SMTP, direct relationships  
involve less overhead which improves efficacy and efficiency to the  
point of perhaps permitting use of IPv6.

-Doug