Re: [Asrg] What are the IPs that sends mail for a domain?

Alessandro Vesely <vesely@tana.it> Thu, 02 July 2009 15:03 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC25B3A680F for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 08:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level:
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[AWL=1.757, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vzi1ktGsi0bt for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 08:03:29 -0700 (PDT)
Received: from wmail.tana.it (mail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id 8325C3A6999 for <asrg@irtf.org>; Thu, 2 Jul 2009 08:03:29 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Thu, 02 Jul 2009 17:03:51 +0200 id 00000000005DC02F.000000004A4CCC57.0000294C
Message-ID: <4A4CCC56.8090804@tana.it>
Date: Thu, 02 Jul 2009 17:03:50 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <200906180105.VAA21834@Sparkle.Rodents-Montreal.ORG> <C8F0F10E-E1A4-4D25-AF20-31E3F0DB68DF@mail-abuse.org> <200906182044.QAA05200@Sparkle.Rodents-Montreal.ORG> <FED77586-8800-4BA6-99EA-30A1D9C089B6@mail-abuse.org> <200906190149.VAA06902@Sparkle.Rodents-Montreal.ORG> <B5252B96-F0AB-4D4A-A0DA-8314AA8E038F@mail-abuse.org> <4A3D366E.2020304@tana.it> <934f64a20906201606pff54ca3y904da141013f1d2a@mail.gmail.com> <4A490CC5.8020601@billmail.scconsult.com> <4A49C1DD.8020205@tana.it> <20090630200150.GL57980@verdi> <4A4B709C.2000109@tana.it> <CA9E386E-44BA-4E3B-8A91-A99B07393BA0@mail-abuse.org>
In-Reply-To: <CA9E386E-44BA-4E3B-8A91-A99B07393BA0@mail-abuse.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2009 15:03:30 -0000

Douglas Otis wrote:
> On Jul 1, 2009, at 7:20 AM, Alessandro Vesely wrote:
>> John Leslie wrote:
>>> The CSV paradigm is that the operator of a MTA should exercise some 
>>> responsibility for what is sends. The HELO string identifies the MTA 
>>> (though not necessarily one string exclusively by one MTA), and the 
>>> DNS management for that domain-name string states whether that domain 
>>> exercises responsibility (and by automatic return of A)ddress RRs on 
>>> SRV queries, what IP address(es) that MTA uses).
>>
>> The link from the MTA to its operator is still missing.
> 
> Disagree.  Based on our results, when only a few domains publish an IP 
> addresses of an Outbound MTA, it is rather safe to assume the domains 
> represented by verified EHLO information resolve who is administrating 
> the MTA.

In general an MTA provides a FQDN like mta.example.com, and we are 
unable to say whether it "is a member of" example.com. In addition, 
the MTA's administrator may be unrelated to example.com's registrant.

>  When there are many domains, this appears to represent either 
> MTAs operating behind a NAT, or compromised systems; sometimes both.

I don't understand that kind of setup. Multiple MTAs operating behind 
a NAT have no way to receive mail, so they are only sending SMTP 
clients. Is inertia the only reason why they don't use an MSA?

> It appears to be rare for legitimate Outbound MTAs to change domain 
> affiliations.  From a reputation standpoint, verified EHLO information 
> offers stable identifiers in which to effectively and efficiently manage 
> email abuse.

It seems that vanity domains don't mind if the MX record points to an 
MTA in another domain. The intricacies of having CNAMEs near MX 
settings presumably refrained also from assigning multiple names, one 
for each vanity domain, to a given MTA. However, some do it.

On an SMTP connection, a client says: "Hello mta.example.com", and 
after I accept that, it goes on with "Mail from:<xyz@example.ORG>". 
What does that mean, in terms of accountability?

>> To this end, I'd prefer the use of a domain name.

This guy is relaying on behalf of someone else. If I had verified the 
"example.com" possibly registered domain, I would spot it more easily. 
If example.ORG is a vanity name, i.e. it has the same MX as 
example.com, I accept it. If not, I wouldn't know who is accountable 
for the message, so I reject it.

In case mta.example.com runs outbound MTA services for third parties, 
I would hold the originating third party accountable for the message. 
However, there is no way I can tell that is indeed the case, neither 
from the IP address nor from the name. I'd need, say, a CSA SRV record 
from example.ORG saying: "we authorize mta.example.com", _and_ on 
starting a new session the client shall say: "Hello on behalf of 
example.ORG: check their CSA settings". No guessing required, then.

> While larger ISPs are likely to have a few hundred outbound MTAs, they 
> represent a very small percentage of overall legitimate Outbound MTAs.

However, they transmit lots of messages.

> Being able to identify legitimate Outbound MTAs reduces the vetting of 
> hundreds of millions of domains associated with Mail From or PRAs, where 
> each domain likely covers massive address lists.

Exactly. Those legitimate Outbound MTAs are probably connected to an 
MSA. When we identify them, we enjoy the advantages deriving from 
users going through their relevant MSAs, as we recommended, rather 
than relaying through whatever MTA they have at hands, or directly.

> Efforts to combine the addresses used by a domain is counter productive 
> when it comes to resolving problems, or when dealing with initial SMTP 
> connections.  When it comes to SMTP, direct relationships involve less 
> overhead which improves efficacy and efficiency to the point of perhaps 
> permitting use of IPv6.

In some cases, names can be handled better than IP numbers. After all, 
that's why they invented the DNS...