Re: [Asrg] What are the IPs that sends mail for a domain?

der Mouse <mouse@Rodents-Montreal.ORG> Thu, 18 June 2009 20:44 UTC

Return-Path: <mouse@Sparkle.Rodents-Montreal.ORG>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC1B43A6A8D for <asrg@core3.amsl.com>; Thu, 18 Jun 2009 13:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.801
X-Spam-Level:
X-Spam-Status: No, score=-9.801 tagged_above=-999 required=5 tests=[AWL=0.187, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ME4ySE6++vsI for <asrg@core3.amsl.com>; Thu, 18 Jun 2009 13:44:07 -0700 (PDT)
Received: from Sparkle.Rodents-Montreal.ORG (Sparkle.Rodents-Montreal.ORG [216.46.5.7]) by core3.amsl.com (Postfix) with ESMTP id 77FD13A6A4B for <asrg@irtf.org>; Thu, 18 Jun 2009 13:44:07 -0700 (PDT)
Received: from localhost (localhost [[UNIX: localhost]]) by Sparkle.Rodents-Montreal.ORG (8.8.8/8.8.8) id QAA05200; Thu, 18 Jun 2009 16:44:03 -0400 (EDT)
From: der Mouse <mouse@Rodents-Montreal.ORG>
Message-Id: <200906182044.QAA05200@Sparkle.Rodents-Montreal.ORG>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway.
X-Message-Flag: Microsoft: the company who gave us the botnet zombies.
Date: Thu, 18 Jun 2009 15:19:24 -0400
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
In-Reply-To: <C8F0F10E-E1A4-4D25-AF20-31E3F0DB68DF@mail-abuse.org>
References: <9112777.1871245190785748.JavaMail.franck@iphone-4.genius.local> <Pine.GSO.4.64.0906161906450.27272@nber6.nber.org> <4D8E56D2-CB37-4713-94E5-0F0C2A1B1F94@blighty.com> <2F26F23C-F1B4-4FD4-BAEB-53168072FF5D@mail-abuse.org> <200906180105.VAA21834@Sparkle.Rodents-Montreal.ORG> <C8F0F10E-E1A4-4D25-AF20-31E3F0DB68DF@mail-abuse.org>
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2009 20:44:08 -0000

> IPv4 is already approaching the majority of all the addresses being
> blocked.

Well...not all that closely, at least not by people who care about
their mail.

The Spamhaus Zen list, arguably one of the most useful, best run, and
least fringe of DNSBLs, currently lists slightly over 521 million
addresses, a touch under 1/8th of the IPv4 space.  Removing the PBL
component - meaning, just bad actors (for SBL-XBL defintiions of
"bad"), not including addresses whose providers say they're not
supposed to be sending mail but which haven't necessarily been observed
doing so - brings this down to between 11 and 12 million addresses,
which is tiny; it's between 1/4 and 1/3 of 1% of IPv4 space.

>>> Pushing responsibility to the edge does not work, and email
>>> provides ample evidence.
>> It's not that doing that has been tried and found wanting; rather,
>> it has not been tried.
> Have you heard of SPF?

Yes.  It flopped, no?  If it had been widely adopted, I might have to
decide whether I think it constitutes "pushing responsibility to the
edge".  But I don't.

>> (Actually, it has been tried in a limited way; there are pieces of
>> the net that _do_ push responsibility to the end user.  Oddly
>> enough, they are basically nonexistent as far as abuse emitters go;
>> what evidence I see indicates that it _does_ work.)
> Can you provide some specifics?

I worked for McGill (a university in Montreal) for most of my career,
some 15 years, about 10 of those as postmaster for one of the labs
there.  Certainly we, and to the extent that I saw it the rest of the
University, imposed responsibility on end users.

I am currently working for Openface Internet, an ISP in Montreal.
While it's done very differently (the provider/user relationships are
vastly different in the two contexts), we too push responsibility for
the user of the address space we grant our customers to those
customers.

Neither of these were completely abuse-free.  But nobody their size is
- heck, even my house /28 once emitted some misbehaviour for a few
minutes, when someone asked my help getting a machine cleaned up and I
made a mistake with filtering - and I've seen no reason to think they
were/are even slightly above the background noise.  (If anyone has
evidence to the contrary for Openface, please tell me; I'll certainly
get it into the hands of our abuse handlers, and can track the issue.
For McGill, I'm less able to act since I no longer work there, but it
hasn't been so long I don't still know people.)

Yes, they're tiny fractions of the net.  Openface has a /19 and a /20.
McGill had two /16s - I don't know what they have now.  That doesn't
invalidate my point.

Other places, where similar policies and enforcement exist (or have
existed), have exhibited similarly low abuse-emitter profiles in my
experience.  Other Montreal universities.  RCN while Afterburner was
abuse lead there - that was during a period when I made a point of
complaining about every spam that got through to me, spending hours a
day writing spam complaints, and I had all of _one_ occasion to write
to RCN, which drew prompt and effective response.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse@rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B