Re: [Asrg] What are the IPs that sends mail for a domain?

Ian Eiloart <iane@sussex.ac.uk> Tue, 23 June 2009 14:02 UTC

Return-Path: <iane@sussex.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2535128C351 for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 07:02:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9w172pvHyzRZ for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 07:02:15 -0700 (PDT)
Received: from sivits.uscs.susx.ac.uk (sivits.uscs.susx.ac.uk [139.184.14.88]) by core3.amsl.com (Postfix) with ESMTP id C8A6528C2EA for <asrg@irtf.org>; Tue, 23 Jun 2009 07:02:13 -0700 (PDT)
Received: from lewes.staff.uscs.susx.ac.uk ([139.184.134.43]:58577) by sivits.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <iane@sussex.ac.uk>) id KLP30I-000EM2-KC for asrg@irtf.org; Tue, 23 Jun 2009 15:02:42 +0100
Date: Tue, 23 Jun 2009 15:02:22 +0100
From: Ian Eiloart <iane@sussex.ac.uk>
Sender: iane@sussex.ac.uk
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <C1416DF57AC62766029031F7@lewes.staff.uscs.susx.ac.uk>
In-Reply-To: <20090622215354.GC2137@gsp.org>
References: <20090617175332.5169.qmail@simone.iecc.com> <4A3B6E59.5010002@tana.it> <BA2257A830C1667CF12F63DD@lewes.staff.uscs.susx.ac.uk> <4A3F7AAC.8030402@tana.it> <EFF1CE90263B9E8BC0C8DF19@lewes.staff.uscs.susx.ac.uk> <20090622215354.GC2137@gsp.org>
Originator-Info: login-token=Mulberry:01sgVK6xtmuFDzcp5NHisler1eGH1rRRUrJ3A=; token_authority=support@its.sussex.ac.uk
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 14:02:16 -0000

--On 22 June 2009 17:53:54 -0400 Rich Kulawiec <rsk@gsp.org> wrote:

> On Mon, Jun 22, 2009 at 02:59:01PM +0100, Ian Eiloart wrote:
>> We use IP address reputation services because there's nothing else we
>> can  use, in the absence of some way to authenticate the sender address.
>> Of   course, those mechanisms exist and are widely deployed but not
>> universally, or even by a majority of domains. When they become so,
>> we'll  no doubt see domain based reputation services, and even address
>> based  reputation services being used as much as IP address reputation
>> services  are.
>
> I don't think so.  Domains and addresses are nearly-free and disposable,
> so spammers could easily render both pointless exercises whenever it
> suited them to do so.

Yes, they are. But, acquiring reputation for a domain is a different 
question. Sure, a new email address doesn't have a negative reputation, but 
it doesn't have a positive reputation either.

Mail server configurations of the future will likely reject email from 
addresses with negative reputations (except where whitelisted), accept 
email from addresses with good positive reputations (except where 
blacklisted), and do other stuff with addresses without reputation 
(including newly registered addresses, and previously unused addresses.

What will they do with the addresses without reputation scores? Well, at 
worst only what they do now - examine the content, check the IP address 
reputation, etc. But, they'll also have a host of other things they can do, 
including domain based whitelisting and blacklisting (pointless without 
authentication). And, they'll be able to - for example - rate limit mail 
from unusual addresses until the new addresses have acquired sufficient 
reputation.

And, if they do use new domains for spam, we can track them through the 
registrars. Unresponsive registrars will acquire poor reputation - so 
expect to see registrar based reputation services, too.

> Given that registrars are quite happy to continue
> selling dirt-cheap domains by the thousands to even the worst spammers
> (and registrars ARE spammers) it will always be possible for abusers to
> come up with another domain and another email address -- or another ten
> thousand of each -- whenever it suits them.   Network space is not quite
> so easy to come by, so I think we stand a better chance keeping track of
> allocations.

Yes, but what's the point? I've never had any of my users ask me to 
whitelist an IP address. I've had plenty ask me to whitelist domains and 
specific addresses. We don't do that at the moment, because a whitelist 
entry is simply a hole in our spam defences. Oh, and notice that it hasn't 
actually worked very well.

> ---Rsk
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/