Re: [Asrg] What are the IPs that sends mail for a domain?

Steve Atkins <steve@blighty.com> Mon, 22 June 2009 22:08 UTC

Return-Path: <steve@blighty.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60F7528C278 for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 15:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePmXFfAz3yO4 for <asrg@core3.amsl.com>; Mon, 22 Jun 2009 15:08:07 -0700 (PDT)
Received: from m.wordtothewise.com (fruitbat.wordtothewise.com [208.187.80.135]) by core3.amsl.com (Postfix) with ESMTP id 7CF2828C279 for <asrg@irtf.org>; Mon, 22 Jun 2009 15:08:07 -0700 (PDT)
Received: from [192.168.80.34] (184.wordtothewise.com [208.187.80.184]) by m.wordtothewise.com (Postfix) with ESMTP id 41E6280FE9 for <asrg@irtf.org>; Mon, 22 Jun 2009 15:08:07 -0700 (PDT)
Message-Id: <09283EE0-0252-4DD0-9BDA-FAA9B1B10C4A@blighty.com>
From: Steve Atkins <steve@blighty.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
In-Reply-To: <20090622215354.GC2137@gsp.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Mon, 22 Jun 2009 15:08:17 -0700
References: <20090617175332.5169.qmail@simone.iecc.com> <4A3B6E59.5010002@tana.it> <BA2257A830C1667CF12F63DD@lewes.staff.uscs.susx.ac.uk> <4A3F7AAC.8030402@tana.it> <EFF1CE90263B9E8BC0C8DF19@lewes.staff.uscs.susx.ac.uk> <20090622215354.GC2137@gsp.org>
X-Mailer: Apple Mail (2.935.3)
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2009 22:08:08 -0000

On Jun 22, 2009, at 2:53 PM, Rich Kulawiec wrote:

> On Mon, Jun 22, 2009 at 02:59:01PM +0100, Ian Eiloart wrote:
>> We use IP address reputation services because there's nothing else  
>> we can
>> use, in the absence of some way to authenticate the sender address.  
>> Of
>> course, those mechanisms exist and are widely deployed but not
>> universally, or even by a majority of domains. When they become so,  
>> we'll
>> no doubt see domain based reputation services, and even address based
>> reputation services being used as much as IP address reputation  
>> services
>> are.
>
> I don't think so.  Domains and addresses are nearly-free and  
> disposable,
> so spammers could easily render both pointless exercises whenever it
> suited them to do so.  Given that registrars are quite happy to  
> continue
> selling dirt-cheap domains by the thousands to even the worst spammers
> (and registrars ARE spammers) it will always be possible for abusers  
> to
> come up with another domain and another email address -- or another  
> ten
> thousand of each -- whenever it suits them.   Network space is not  
> quite
> so easy to come by, so I think we stand a better chance keeping  
> track of
> allocations.

The critical point here is that while it's easy to cycle through  
domains,
only those who are doing Bad Stuff will do so.

If you're sending wanted email then the reputation associated with any
reputation key (including domains) will increase, and quality of  
delivery
will continue to improve.

If you're sending unwanted email then the associated reputation will
decrease and delivery rates will drop. Because of that, people sending
bad email will cycle through reputation identifiers rapidly, meaning  
that
their reputation is never better than that of a brand new identifier,  
but not
usually much worse.

That makes reputation of this sort (whether it be IP based,  
authenticated
domain based or anything else where it's easy to create a new reputation
key, but hard to steal someone elses) is extremely useful for  
identifying
mail that's likely to be wanted, and not really great for identifying  
mail that's
likely to be unwanted. It's not something that's useful on it's own,  
but it's
incredibly useful when used in conjunction with other approaches.

Cheers,
   Steve