Re: [Asrg] What are the IPs that sends mail for a domain?

Alessandro Vesely <vesely@tana.it> Tue, 23 June 2009 17:39 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B10D028C370 for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 10:39:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.57
X-Spam-Level:
X-Spam-Status: No, score=-0.57 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4db5fGzlTnQ9 for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 10:39:39 -0700 (PDT)
Received: from wmail.tana.it (mail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id A05FA28C3EC for <asrg@irtf.org>; Tue, 23 Jun 2009 10:38:46 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Tue, 23 Jun 2009 19:39:01 +0200 id 00000000005DC02F.000000004A411335.00001394
Message-ID: <4A411335.3070507@tana.it>
Date: Tue, 23 Jun 2009 19:39:01 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20090617175332.5169.qmail@simone.iecc.com> <4A3B6E59.5010002@tana.it> <BA2257A830C1667CF12F63DD@lewes.staff.uscs.susx.ac.uk> <4A3F7AAC.8030402@tana.it> <EFF1CE90263B9E8BC0C8DF19@lewes.staff.uscs.susx.ac.uk> <20090622215354.GC2137@gsp.org> <09283EE0-0252-4DD0-9BDA-FAA9B1B10C4A@blighty.com>
In-Reply-To: <09283EE0-0252-4DD0-9BDA-FAA9B1B10C4A@blighty.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 17:39:40 -0000

Steve Atkins wrote:
>>> We use IP address reputation services because there's nothing else we 
>>> can use [...]
>>
>> I don't think so.  Domains and addresses are nearly-free and disposable,
>> so spammers could easily render both pointless exercises whenever it
>> suited them to do so.  Given that registrars are quite happy to continue
>> selling dirt-cheap domains by the thousands to even the worst spammers
>> (and registrars ARE spammers) it will always be possible for abusers to
>> come up with another domain and another email address -- or another ten
>> thousand of each -- whenever it suits them.   Network space is not quite
>> so easy to come by, so I think we stand a better chance keeping track of
>> allocations.

Maintaining reputation records based on domain is much easier than 
doing single email addresses, especially if one knows what egress 
anti-spam practices they deploy, and what's their policy for creating 
new accounts. In this case, mandating SUBMIT a la SPF shouldn't affect 
a domain's reputation; however, only messages that are relayed that 
way can be whitelisted on the basis that they come from a whitelisted 
domain.

> The critical point here is that while it's easy to cycle through domains,
> only those who are doing Bad Stuff will do so.
> 
> If you're sending wanted email then the reputation associated with any 
> reputation key (including domains) will increase, and quality of delivery 
> will continue to improve.

A domain changing ISP or location will most likely get new IP 
addresses. This noise is absent when tracking reputation by domain name.

> If you're sending unwanted email then the associated reputation will 
> decrease and delivery rates will drop. Because of that, people sending 
> bad email will cycle through reputation identifiers rapidly, meaning that
> their reputation is never better than that of a brand new identifier, 
> but not usually much worse.

If whitelists by domain were the rule, newcomers would seek the 
endorsement of their business associations, reputable friends, and 
possibly even employees. They will introduce themselves, and avoid 
whois privacy concealments. Investing in such sort of vernissage for 
new IP addresses makes little sense.

> That makes reputation of this sort (whether it be IP based, authenticated 
> domain based or anything else where it's easy to create a new reputation 
> key, but hard to steal someone elses) is extremely useful for identifying 
> mail that's likely to be wanted, and not really great for identifying 
> mail that's likely to be unwanted. It's not something that's useful on 
> it's own, but it's incredibly useful when used in conjunction with other 
> approaches.

It's only natural to think that mail that's likely to be wanted shall 
take priority, as it does not require Bayesian content filtering, 
waiting for hashes from honeypots, and similar mumbo jumbos. Then, if 
whitelisted domains become widespread, we can peacefully harden the 
rules for filtering the rest.

The point is, if it is easier and convenient, why isn't it plenty of 
RHSWLs out there?