Re: [Asrg] What are the IPs that sends mail for a domain?
Douglas Otis <dotis@mail-abuse.org> Fri, 03 July 2009 16:51 UTC
Return-Path: <dotis@mail-abuse.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A2303A6C6A for <asrg@core3.amsl.com>; Fri, 3 Jul 2009 09:51:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.938
X-Spam-Level:
X-Spam-Status: No, score=-5.938 tagged_above=-999 required=5 tests=[AWL=-0.254, BAYES_00=-2.599, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Z4anBkC8YQb for <asrg@core3.amsl.com>; Fri, 3 Jul 2009 09:51:46 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id B53F528C16D for <asrg@irtf.org>; Fri, 3 Jul 2009 09:51:46 -0700 (PDT)
Received: from [IPv6:::1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id B2F15A945FA for <asrg@irtf.org>; Fri, 3 Jul 2009 16:52:09 +0000 (UTC)
Message-Id: <5E797CAD-5510-49F4-A53E-995C5E4BC41E@mail-abuse.org>
From: Douglas Otis <dotis@mail-abuse.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
In-Reply-To: <4A4DF007.6070909@tana.it>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Fri, 03 Jul 2009 09:52:09 -0700
References: <200906180105.VAA21834@Sparkle.Rodents-Montreal.ORG> <C8F0F10E-E1A4-4D25-AF20-31E3F0DB68DF@mail-abuse.org> <200906182044.QAA05200@Sparkle.Rodents-Montreal.ORG> <FED77586-8800-4BA6-99EA-30A1D9C089B6@mail-abuse.org> <200906190149.VAA06902@Sparkle.Rodents-Montreal.ORG> <B5252B96-F0AB-4D4A-A0DA-8314AA8E038F@mail-abuse.org> <4A3D366E.2020304@tana.it> <934f64a20906201606pff54ca3y904da141013f1d2a@mail.gmail.com> <4A490CC5.8020601@billmail.scconsult.com> <4A49C1DD.8020205@tana.it> <20090630200150.GL57980@verdi> <4A4B709C.2000109@tana.it> <CA9E386E-44BA-4E3B-8A91-A99B07393BA0@mail-abuse.org> <4A4CCC56.8090804@tana.it> <6C4133DD-CAD2-4FE3-8087-9301B46832F6@mail-abuse.org> <4A4DF007.6070909@tana.it>
X-Mailer: Apple Mail (2.935.3)
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2009 16:51:48 -0000
On Jul 3, 2009, at 4:48 AM, Alessandro Vesely wrote: > Douglas Otis wrote: >>> In general an MTA provides a FQDN like mta.example.com, and we are >>> unable to say whether it "is a member of" example.com. In >>> addition, the MTA's administrator may be unrelated to >>> example.com's registrant. >> >> When the EHLO host name references IP addresses that match the >> Outbound MTA, this verifies there is a common administration >> between the FQDN and DNS. CSV ensures this relationship can be >> established [...] > > That is not the case. The hostmasters at example.com can > unilaterally delegate mta.example.com the way they wish, with no > obligation whatsoever to run a whois service or otherwise publish > data about their delegate's admins, if any, let alone taking > accountability for what such admins would do. The goal is to establish stable and fair identifiers. Once a direct DNS relationship with that of a host can be verified, this serves as a identifier controlled by _some_ administrator. Verification of a DNS relationship allows negative host stewardship assessments to be fairly made based upon the identifier. A fair and stable identifier is being sought. Not one that represents some person. Anonymous tokens help avoid claims of individual censorship. The application of host stewardship assessments can allow spam to be effectively and efficaciously managed, and is how accountability can be established. >> Outbound MTAs can be unrelated to where their mail is received. >> Even so, port 25 of the NAT can be nailed to a host within the >> NAT's private address space. Outbound MTAs behind a NAT is fairly >> common in office environments. > > Yeah, I used to suggest that setting myself, since most of (legit) > mail traffic is intra-office. They may collect external mail running > cron-scheduled POP clients. However, with today's connections and > legit mail being a tiny fraction of mail traffic, I see no reason > for keeping those servers. I regard them as historical settings, and > recommend using SUBMIT+IMAP on secured channels. Those with a DS3 serving their office network may expect they have an ability to publicly send email to other domains. >> With EHLO mta.example.com and a history of that host name [...] >> From a reputation perspective, the name and IP address >> relationships that need to be tracked for Outbound MTAs represent >> data sets orders of magnitude smaller and dramatically more stable >> that that represented by MAIL commands or PRAs. > > However, one year after changing the IP address of my MTA, many MX > receivers are not yet up to date. I'll have to manually update that, > where possible, taking into account each domain idiosyncrasies. It > is so because those name-address relationships are still too many. > If you consider only the right hand side (RHS) of MAIL or PRAs, > you'll get much smaller figures. Dependence upon just the domain of MAIL commands or PRAs would be vulnerable to exploitation. Assertions that authorizations offer authentication are not safe. In addition, there are hundreds of millions of MAIL command or PRA domains to be tracked, white there is about two to three orders of magnitude fewer EHLO domains. A mistake made with a MAIL command or PRA domain will create serious and irreconcilable problems for the domain. A mistake made with a EHLO host is both less likely, and will be far less catastrophic since services elsewhere can be sought. In addition to being safer, more accurate, EHLO assessments are more efficacious and effective. There are fewer in which to deal with, and this instills a hierarchy of management that better confronts rampant abuse largely caused by bot- nets. >>> In case mta.example.com runs outbound MTA services for third >>> parties, I would hold the originating third party accountable for >>> the message. >> Why not hold the entity offering access to those abusing email >> accountable? > > If they just offer a transport service, I see no reason I should. > Vice-versa, if they are accountable, then _they_ are the true MTA, > transmitting on behalf of what I called a vanity domain. (This > distinction does not have to be static, as example.ORG may send > directly in some cases, via example.com in others.) Those offering the service should still be assessed upon their stewardship of who is allowed to send messages. When they fail to remove problematic access to their Outbound MTAs, those MTA might become blocked, and their customers will then need to seek service elsewhere. When a MAIL command or PRA domains are blocked for because authorization has been confused with authentication or when spam is spoofing the domain, those affected are left without recourse. Not wanting to track dramatically fewer EHLO host names with that of a small number of IP addresses is poor justification for a potentially injurious practice making guesses about MAIL commands or PRA domains. :^( >> You have no assurance whether third-party domains originated the >> message, even when the domain offers authorization. This assumes >> Outbound MTAs ensure both the PRA and MAIL commands are restricted >> to specific and verified users. While this might be the case, this >> is not the norm. > > OTOH, if we cannot spot whether an MSA has been used, the advantages > of clean transmission remain confined within the first hop. An MTA > who accepted to relay on behalf of an authenticated user may be > willing to take accountability. The point is that it has no verb to > express that will. IMHO, systems used within private or authenticated exchanges is of no concern. It is only the Outbound MTA sending messages to different domains on port 25 without authentication that needs management. Guesses about what might have occurred ahead of the Outbound MTA can be injurious to otherwise innocent domains. >> It would also be foolish to annotate email as having been >> "authenticated" on the basis of Outbound MTA authorization for the >> same reason. Large companies place a higher priority on their >> messages being received than ensuring authorizations do not expose >> exploits to bad actors. > > If they take accountability, then it's their problem. Their vouchers > should take that behavior into account. Vouchers? Taking accountability? Logically extending that concept should then involve significant liabilities for providers that fail to ensure MAIL commands or PRAs are limited to their rightful owners. What RFCs should these providers be following? How does one determine who is the rightful owner, and have you ever seen such agreements, and do you know which standards need to be followed? Is this assurance expressed within your SLA with your provider? Does this agreement specify exclusivity for use of MAIL commands or does it also include PRAs? You are describing a fantasy that may cause injury when believed. We need to hold parachute manufactures liable for their product, and not those using parachutes. >>> However, there is no way I can tell that is indeed the case, >>> neither from the IP address nor from the name. I'd need, say, a >>> CSA SRV record from example.ORG saying: "we authorize >>> mta.example.com", _and_ on starting a new session the client shall >>> say: "Hello on behalf of example.ORG: check their CSA settings". >>> No guessing required, then. >> Yes, the CSA record would help, but this EHLO information still >> offers value. Especially when considering the use of IPv6 where >> block lists are unlikely to prove effective. > > I agree EHLO information has some value. In some cases, it may be > redundant (e.g. if there is a vouch, or in case of ideal DNS > settings.) In most cases, it is not enough, as it doesn't lead to an > accountable administrator's name, address, phone number, etc. It only needs to lead to an identifier that can be fairly and safely blocked while mitigating email abuse. >> The issue is simpler than that. The issue is to simply hold the >> Outbound MTA accountable for the message sources for whom it grants >> access. DKIM offers a reliable means to verify where a message >> originated without impractical and unscalable efforts aimed at >> registering all authorized paths for MAIL commands or PRAs. > > Both Outbound MTAs and DKIM offer no hint about a message's > Originator and related accountability issues. The task of holding individuals accountable needs to be delegated to the Outbound MTA providers. After all, these providers are being compensated, and not their recipients. Expecting recipients to make guesses about who the originators were overlooks the reality that Outbound MTA provider granting access are the _only_ entities able to make this determination. When they haven't or can't, they should be blocked when abuse is being emitted. > For counting, note that the number of DKIM signers potentially > exceeds the number of valid RHS domain names, since each mail domain > can be a DKIM signer, but a DKIM signer doesn't have to be a mail > domain. DKIM is to prevent spoofing. DKIM is not intended to serve as a means to mitigate email abuse. >> DNS CIDR notation is specified by RFC 3123. This resource record >> can still be used to establish email white-list strategies instead >> of SPF records. APL records exclude potentially problematic >> macros as well. Since email CIDR records should not be obtained in >> response to SMTP connections, APL might be chained with a >> convention for _n._smtp APL, as an alternative publishing location >> for _smtp APL. When _smtp is truncated, either TCP fallback could >> be used, or _[0-9]._smtp APL queries might be used to recover from >> response truncation. > > However well designed, such scheme will thickens the ranks of mail > transmitter authentication schemes. All of them are optional, and > checking which one may apply requires an increasing amount of DNS > transactions, possibly amplified by DNSSEC. That's why VHLO, besides > taking the mail domain of the accountable organization, can also > take the parameters indicating which authentication method applies. This alternative for white-listing was mentioned only to suggest safer methods that don't rely upon potentially hazardous scripts. -Doug
- [Asrg] What are the IPs that sends mail for a dom… Franck Martin
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] What are the IPs that sends mail for a… SM
- Re: [Asrg] What are the IPs that sends mail for a… John Johnson
- Re: [Asrg] What are the IPs that sends mail for a… Daniel Feenberg
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Lyndon Nerenberg
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… Franck Martin
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Franck Martin
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… Franck Martin
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] reject and DSN, was What are the IPs John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Dotzero
- Re: [Asrg] What are the IPs that sends mail for a… Seth
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Paul Russell
- Re: [Asrg] What are the IPs that sends mail for a… Jeff Macdonald
- Re: [Asrg] What are the IPs that sends mail for a… Steve Atkins
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Daniel Feenberg
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Steve Atkins
- Re: [Asrg] What are the IPs that sends mail for a… Lyndon Nerenberg
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… J.D. Falk
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Dotzero
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Rich Kulawiec
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Rich Kulawiec
- Re: [Asrg] What are the IPs that sends mail for a… Rich Kulawiec
- Re: [Asrg] What are the IPs that sends mail for a… Daniel Feenberg
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- [Asrg] Proposed corollary to Godwin's law John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… David Wilson
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… J.D. Falk
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Franck Martin
- Re: [Asrg] What are the IPs that sends mail for a… Steve Atkins
- Re: [Asrg] What are the IPs that sends mail for a… David Nicol
- Re: [Asrg] What are the IPs that sends mail for a… Steve Atkins
- Re: [Asrg] What are the IPs that sends mail for a… Paul Russell
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… der Mouse
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Gordon Peterson
- Re: [Asrg] reject and DSN, was What are the IPs John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] "Affiliation" John Leslie
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Gordon Peterson
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Dotzero
- Re: [Asrg] What are the IPs that sends mail for a… Rich Kulawiec
- Re: [Asrg] What are the IPs that sends mail for a… Steve Atkins
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Seth
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] "Affiliation" Alessandro Vesely
- Re: [Asrg] reject and DSN, was What are the IPs Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] Proposed corollary to Godwin's law mathew
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Rich Kulawiec
- Re: [Asrg] What are the IPs that sends mail for a… Dotzero
- Re: [Asrg] What are the IPs that sends mail for a… John Leslie
- Re: [Asrg] What are the IPs that sends mail for a… John Leslie
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] reject and DSN, was What are the IPs Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Dotzero
- Re: [Asrg] What are the IPs that sends mail for a… John Leslie
- Re: [Asrg] What are the IPs that sends mail for a… Dotzero
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… John Leslie
- Re: [Asrg] What are the IPs that sends mail for a… Dotzero
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] reject and DSN, was What are the IPs John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] reject and DSN, was What are the IPs Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] reject and DSN, was What are the IPs Chris Lewis
- Re: [Asrg] reject and DSN, was What are the IPs Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Steve Atkins
- Re: [Asrg] reject and DSN, was What are the IPs John Levine
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… Chris Lewis
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Chris Lewis
- Re: [Asrg] What are the IPs that sends mail for a… Chris Lewis
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Bill Cole
- Re: [Asrg] What are the IPs that sends mail for a… Ian Eiloart
- Re: [Asrg] What are the IPs that sends mail for a… Alessandro Vesely
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… Peter Koch
- Re: [Asrg] What are the IPs that sends mail for a… Douglas Otis
- Re: [Asrg] What are the IPs that sends mail for a… David Nicol