Re: [Asrg] What are the IPs that sends mail for a domain?

Douglas Otis <dotis@mail-abuse.org> Wed, 17 June 2009 00:24 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3BDD33A6AEE for <asrg@core3.amsl.com>; Tue, 16 Jun 2009 17:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.162
X-Spam-Level:
X-Spam-Status: No, score=-6.162 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NyDbr1IXo1MV for <asrg@core3.amsl.com>; Tue, 16 Jun 2009 17:24:05 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id 681BC3A696F for <asrg@irtf.org>; Tue, 16 Jun 2009 17:23:54 -0700 (PDT)
Received: from [IPv6:::1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 86A8DA94439 for <asrg@irtf.org>; Wed, 17 Jun 2009 00:24:04 +0000 (UTC)
Message-Id: <628BBDFC-0DDE-47B6-BC41-EAF846EE9D5D@mail-abuse.org>
From: Douglas Otis <dotis@mail-abuse.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
In-Reply-To: <20090616225543.11524.qmail@simone.iecc.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 16 Jun 2009 17:24:03 -0700
References: <20090616225543.11524.qmail@simone.iecc.com>
X-Mailer: Apple Mail (2.935.3)
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2009 00:24:06 -0000

On Jun 16, 2009, at 3:55 PM, John Levine wrote:

>> How do I find if I have blocked the domain from sending to my  
>> server. Meaning, knowing the domain name of the sender, how do I  
>> find the IPs from where the mail could be sent from. It seems that  
>> SPF is the only tool to provide that answer?
>
> Unless you have previous mail from the domain, I would agree SPF is  
> your best bet.

This is not your only bet.  Many SPF records include the term MX and,  
when not found, even default to using MX/24.

>> In another related problem, which is linked to IPv6 and RBL.  
>> Buidling an IPv6 RBL could lead to a huge database. Sure you can  
>> alleviate by using "wildcards", but why not use the reverse DNS  
>> resolution to add a TXT record associated to the IP to indicate the  
>> IP is the one of a mail server? So any IP that does not have this  
>> record would be blocked for SMTP.
>
> We've had a variety of proposals to identify mail client hosts.  See http://mipassoc.org/csv/

The CSV effort proved most providers do not want their MTAs identified  
as belonging to them, even when it could improve email acceptance.   
This might be especially true now after their support staff has been  
reduced.

Reverse DNS is already causing a large amount of resources to be  
wasted by the shabby state of the reverse name space.  Incorrectly  
configured RFC 2317 delegation, and many non-functional servers are  
causing MTAs to rapidly become resource limited when making reverse  
checks.   In addition, when your customers conduct business with Asia,  
they may not be happy to find email is being lost as a result of  
geographic differences of opinion about the role that reverse DNS  
might play with email.

IMHO, all outbound MTAs should be required to return CVS records for  
their EHLO name and offer MX records for their inbound.  A mandate  
that required MX (inbound) or CVS (outbound) records would greatly  
help in identifying non-abusive email sources against a backdrop of  
hundreds of millions of bot-net controlled drones spewing email.   
Systems may soon use ACLs as a means to white-list safe MTAs.  Perhaps  
the world is a few years from having to go to that extreme.

-Doug