IETF Logo Mail Archive

Re: [Asrg] Opt-Out ideas/suggestions?

John Leslie <john@jlc.net> Fri, 23 September 2011 23:27 UTC

Return-Path: <john@jlc.net>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12FF321F8B3F for <asrg@ietfa.amsl.com>; Fri, 23 Sep 2011 16:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.25
X-Spam-Level:
X-Spam-Status: No, score=-106.25 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00izFf0FSI4g for <asrg@ietfa.amsl.com>; Fri, 23 Sep 2011 16:27:45 -0700 (PDT)
Received: from mailhost.jlc.net (mailhost.jlc.net [199.201.159.4]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB1621F8B47 for <asrg@irtf.org>; Fri, 23 Sep 2011 16:27:45 -0700 (PDT)
Received: by mailhost.jlc.net (Postfix, from userid 104) id BE1B333C24; Fri, 23 Sep 2011 19:30:20 -0400 (EDT)
Date: Fri, 23 Sep 2011 19:30:20 -0400
From: John Leslie <john@jlc.net>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20110923233020.GE2931@verdi>
References: <B94DDF3D-7310-4BA0-A5FE-790E5CC393ED@nordu.net> <20110923105849.GA25051@gsp.org> <4E7CB373.6010201@mail-abuse.org> <20110923174550.GB2931@verdi> <4E7CD1F1.7030103@mail-abuse.org> <20110923192708.GD2931@verdi> <4E7D0B1D.3040403@mail-abuse.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4E7D0B1D.3040403@mail-abuse.org>
User-Agent: Mutt/1.4.1i
Subject: Re: [Asrg] Opt-Out ideas/suggestions?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2011 23:27:46 -0000

Douglas Otis <dotis@mail-abuse.org> wrote:
> On 9/23/11 12:27 PM, John Leslie wrote:
>> Douglas Otis<dotis@mail-abuse.org>  wrote:
>>
>>> Keeping an opt-out list secret can't work.
>> 
>> Of course it can, if sufficiently distributed...
> 
> Consider what happened with Blue Security.

   I assume you refer to the DDoS on Blue Security's Blue Frog list.
Being a centrally-maintained list, DDoS is possible. For distributed
opt-out service at MDAs, individual lists they might query _are_
subject to DDoS, but DDoS on the MDAs themselves isn't practical.

> Although lists were private, when applied, content became obvious.

   Yes, content of such centrally-maintained lists will become obvious.

> Not offering DSN will require some method to resolve delivery issues.

   Strictly, yes; but that method can filter through individual MDA
customers -- who for the most part will be quite happy to deep-six
anything spam-like (as happens today).

   MDA-maintainers have no reason to accept such complaints from the
mass-mailers absent a contract in place.

>>> A) What would be the penalty for those that did not know of an opt-out
>>>    and yet received an opt-in?
>> Howzzat? I can't imagine any appropriate penalty beyond the opt-in.
> 
> What you seem to be describing are mail filtering rules.

   I certainly wouldn't limit it to that.

> However, random junk easily side steps such rules. This brings us back
> to opt-in with perhaps review of junk folders for strays.

   That depends on how you define "opt-in"...

   Technically, it's possible to gather opt-in confirmations and
whitelist the particular List-ID and MTA (though not trivial).

   If the service in question _participates_ in the opt-in, it could
provide additional "secrets" to check on incoming email.

   Personally, I doubt it's worth the trouble for a researcher to try
to duplicate all the details of how ISPs do filtering today -- instead
one needs to invent rules of what "opt-out" _means_. For a start, an
opt-out request from a customer probably _doesn't_ mean you hunt down
an unsubscribe process for any senders except those with contractual
arrangements (possibly through a clearing service).

   Another point: "botnet" email likely deserves to be quietly discarded.

> Again where we are today.

   A lot of it _is_ pretty similar -- but there's the opportunity to
better match the actual desires of different customers.

>>> B) What would be the penalty for those that send to the opt-out simply
>>>    because they were listed?
>> I don't understand that question either...
> 
> This was based on the assumption no opt-out, or spam trap for that 
> matter, can be kept secret.

   Hopefully we can agree _some_ opt-out listings can be kept secret.

>>> C) How would case A or B be determined?
>> Ditto.
> 
> This will not reduce the amount of abuse, nor alter any of the burdens 
> on the receiver.

   I didn't claim it would.

> Cryptographic authentication of the sending MTA, not the message, would 
> offer a more effective opt-out scheme when acceptance is predicated on 
> authentication of the entity responsible for authenticating actual 
> senders and asserting intended recipients.

   I quite agree!

> This can be done by confirming either the MSA or the MHA acting on
> behalf of the MSA. A simple SMTP token exchanged to validate
> possession of the private half of a DANE certificate would be a good
> starting point.  Perhaps just the use of TLS with these certificates.

   I'd recommend researchers try that...

>>> D) Who would accept penalty notifications?
>> I don't believe I mentioned any...
> 
> Because you think op-out lists can be kept secret.  Never returning 
> delivery status but not delivering may have a few down sides.

   Yes, but that's an issue between customer and MDA-maintainers.

>>>E) What would be used to determine accountability?
>> 
>> The question of accountability only arises if there is a contract
>> between the mass-mailer and the MDA-maintainer -- in which case it
>> is a contract issue.
> 
> There is no real benefit when the same amount of "accepted" mail is 
> still exchanged.

   I'm not sure -- that's a question for research.

>> While it may well make sense to use source-IP to verify that a
>> particular email is covered by contract, that too feels like a contract
>> issue.
> 
> Neither regex rules nor IP addresses alone will block abuse.  When it 
> doesn't, what identifier is to be held accountable?

   IMHO, absent a contract, "accountability" is a wasted effort.

>>> With many messages originating from compromised systems, any enforcement
>>> would be analogous to a notification that a system or network has been
>>> compromised.  Which organization would manage the announcement of the
>>> blackhole lists?  But we are already doing just that in various fashions.
>> 
>> Actually, no. Enforcement could be limited to the MDA in question.
> 
> You are expecting to accept all unwanted email? We tried that, but this 
> becomes a type of email black-hole sucking in ever increasing amounts.  
> You'll need more servers and storage for this scheme that will grow and 
> grow.

   My experience doesn't support quite that much pessimism.

   However, there are a number of tricks, the simplest being simply
simulating the high packet-loss of a vastly overloaded MDA. I doubt,
however, that that issue will arise during the research phase.

>> At first blush, it seems reasonable to use results to feed the
>> algorithms of blacklist maintainers, but that goes beyond the research
>> I was suggesting...
> 
> And another place where acceptance information is leaked.

   Agreed!

--
John Leslie <john@jlc.net>

v2.41.0 | Report a Bug | By Email | System Status