Re: [Asrg] What are the IPs that sends mail for a domain?

Alessandro Vesely <vesely@tana.it> Wed, 01 July 2009 14:31 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DC8E28C554 for <asrg@core3.amsl.com>; Wed, 1 Jul 2009 07:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[AWL=-0.077, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, J_CHICKENPOX_16=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFDQb1N41eRu for <asrg@core3.amsl.com>; Wed, 1 Jul 2009 07:31:48 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id A115A28C579 for <asrg@irtf.org>; Wed, 1 Jul 2009 07:30:33 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Wed, 01 Jul 2009 16:20:13 +0200 id 00000000005DC030.000000004A4B709D.000057A8
Message-ID: <4A4B709C.2000109@tana.it>
Date: Wed, 01 Jul 2009 16:20:12 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <200906180105.VAA21834@Sparkle.Rodents-Montreal.ORG> <C8F0F10E-E1A4-4D25-AF20-31E3F0DB68DF@mail-abuse.org> <200906182044.QAA05200@Sparkle.Rodents-Montreal.ORG> <FED77586-8800-4BA6-99EA-30A1D9C089B6@mail-abuse.org> <200906190149.VAA06902@Sparkle.Rodents-Montreal.ORG> <B5252B96-F0AB-4D4A-A0DA-8314AA8E038F@mail-abuse.org> <4A3D366E.2020304@tana.it> <934f64a20906201606pff54ca3y904da141013f1d2a@mail.gmail.com> <4A490CC5.8020601@billmail.scconsult.com> <4A49C1DD.8020205@tana.it> <20090630200150.GL57980@verdi>
In-Reply-To: <20090630200150.GL57980@verdi>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2009 14:31:49 -0000

John Leslie wrote:
>> In facts, we don't even have a term for "the accountable party related 
>> to an IP address".
>
>    Are you sure that's a useful concept?

Not at all. However, after noting that per-user accountability in the 
pgp/smime sense cannot be used for general email, the tendency seems 
to look after the IP address of the transmitters, much like pinching 
hackers on the fly is sometimes shown on the movies.

>    The CSV paradigm is that the operator of a MTA should exercise some 
> responsibility for what is sends. The HELO string identifies the MTA 
> (though not necessarily one string exclusively by one MTA), and the 
> DNS management for that domain-name string states whether that domain 
> exercises responsibility (and by automatic return of A)ddress RRs on 
> SRV queries, what IP address(es) that MTA uses).

The link from the MTA to its operator is still missing.

>    While this perhaps comes "close", it's not designating an "accountable 
> party"; and the IP address is related to the HELO string, not the other 
> way around. It does _not_ lead to an "accountable party" -- it merely 
> associates a reference string (the domain name) that we can use as a 
> query to reputation services.

To this end, I'd prefer the use of a domain name. One reason is that 
large ESP have many MTAs that can be used interchangeably. In 
addition, the person responsible for an MTA is not always identifiable 
(in Italy, the mandate to state who are the sysadmins of an MTA is 
being procrastinated every few months, since November 2008.) By 
contrast, domain registrants often have whois records pointing to them.

>> Rfc5068
>> associates accountability after submission with traceability features 
>> of the MSA, apparently suggesting that the first relaying thereafter 
>> is from an IP which is (indirectly) accountable for the message content.
>
>    Actually,
> "
> " Relaying and delivering employ policies that occur after submission and
> " are outside the scope of this document.
>
> RFC5068 deals with the operation of Mail Submission Agents. I don't agree 
> it even "suggests" how accountability should follow the message as it 
> winds its way to the recipient.

It does. Notwithstanding the sentence you quoted, there is a 
"Submission Accountability after Submission" paragraph in section 3.1, 
saying

       For a reasonable period of time after submission, the message
       SHOULD be traceable by the MSA operator to the authenticated
       identity of the user who sent the message.

A similar norm is mandated by anti-terrorism regulations, in the EU at 
least.

That way, accountability could be theoretically traced, _if_ the first 
submission followed those guidelines. While I can be reasonably sure 
that the connecting client is not an open relay, after IP based DNSBL, 
I have no means to know that the site either enforces the submission 
protocol in general, or did so for at least the messages it is about 
to relay.

Thus, it turns out that if an MTA does mixed MSA and old fashioned 
port 25 relaying for its clients, its IP cannot convey accountability.