Re: How I deal with (false positive) IP-address blacklists...

ned+ietf@mauve.mrochek.com Wed, 10 December 2008 02:39 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D37D28C149; Tue, 9 Dec 2008 18:39:43 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C40B128C0F5 for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 18:39:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.56
X-Spam-Level:
X-Spam-Status: No, score=-2.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvfYlwetzJQA for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 18:39:40 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by core3.amsl.com (Postfix) with ESMTP id 622653A6B4B for <ietf@ietf.org>; Tue, 9 Dec 2008 18:39:40 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N2WDGIW6GG00R3N2@mauve.mrochek.com> for ietf@ietf.org; Tue, 9 Dec 2008 18:39:24 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N2RLAAA64000007A@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Tue, 09 Dec 2008 18:39:14 -0800 (PST)
Date: Tue, 09 Dec 2008 17:30:03 -0800
From: ned+ietf@mauve.mrochek.com
Subject: Re: How I deal with (false positive) IP-address blacklists...
In-reply-to: "Your message dated Tue, 09 Dec 2008 17:42:05 -0500" <493EF43D.8020203@network-heretics.com>
To: Keith Moore <moore@network-heretics.com>
Message-id: <01N2WDGDBL5800007A@mauve.mrochek.com>
MIME-version: 1.0
References: <01N2VWXW3J4M00007A@mauve.mrochek.com> <C0F2465B4F386241A58321C884AC7ECC09EB3C5F@E03MVZ2-UKDY.domain1.systemhost.net> <01N2VZWB0O8800007A@mauve.mrochek.com> <493EF43D.8020203@network-heretics.com>
Cc: ned+ietf@mauve.mrochek.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

> ned+ietf@mauve.mrochek.com wrote:

> > You're completely missing the point. This issue isn't knowing how to build a
> > large scale email system and I never said it was. Rather, the issue is whether
> > or not people's opinions about the effectiveness of various antispam mechanisms
> > are valid when all they have is a small amount of experience, often quite
> > dated.

> Granted that it's always dangerous to extrapolate from a small sample.

> But is anybody's experience valid, then?

> From my perspective, the guys who run these large email systems
> generally seem to believe that they have to do whatever they're doing,

Keith, with all due respect, I haven't exactly seen a flood of well-designed
proposals for viable alternatives. Perhaps instead of simply reiterating over
and over that these  beliefs are false you should instead try coming up with an
alternative that demonstrate their falseness.

> regardless of how much the filtering criteria that they're using have
> any thing to do with the desirability of the mail to the recipient,

Schemes that attempt to assess the desirability of the email to the recipient
have been tried - personal whitelists, personal Bayesian filters, etc. etc. In
practice they haven't worked all that well, perhaps due to the average user's
inability to capably and consistently perform such assessments.

> and
> regardless of any particular sender's or recipient's actual experience
> with having their mail filtered.

Well, sure. When you have a million users it's not only difficult to focus on
an individual user's needs, it's also totally inappropriate.

> IOW, It's very easy for both the individual and the mail system operator
> to find reasons to disregard the other's experience.   Who is to say who
> is right?

Absent a working crystal ball there is of course no way to *know* who's right.
But consider this: If you have cancer, would you be more comfortable taking
that quack nostrum that one guy says cured him or the medication with proven
efficacy in a bunch of double blind clinical trials? That one guy *could* be
right. But is this a chance you want to take?

Like it or not, sample size reallly does matter. But if you really do prefer
individual anecdotal evidence, I'll point out that in practically every bogus
blocking incident I've seen of late, the fault lies not with an operation like
Spamhaus, but with some local yokel who thinks he's come up with the FUSSP.

> I certainly don't think that a mail system operator's actions to filter
> mail without the recipient's consent are inherently justified just
> because they happen operating a mail system.  They do bear some
> responsibility for their role in this process and in their selection of
> filtering criteria.

And from what I've seen most of the ones I deal with - these folks are our main
customers - take those responsibilities extremely seriously, if for no other
reason than large numbers of complaints are very costly to deal with and will
end up getting them fired.

And I've seen such firings happen, so please don't bother trying to convince me
they don't.

> As for Ted's message, I just thought it was an interesting anecdote, and
> (as others have pointed out) not particularly relevant to the DNSBL
> discussion.  I didn't see anything wrong with him posting it, and don't
> understand why it's provoked such a reaction.

It provoked a strong reaction from me because it both reminded me of the
appallingly  low quality of the previous discourse and seemed like an
indication of the resumption of same. And I simply couldn't take another round
of it.

> --

> And as for DNSBLs - clearly, there are both good and bad aspects to
> using third party reputation services as opposed to sites using their
> own filtering criteria.  e.g.:

> benefits of third party reputation services:
> - when the number of "customers" of a reputation service helps defray
> the cost of maintaining a current and accurate list, and of improving
> their criteria over time
> - when the high visibility of a popular reputation service helps keep it
> honest

> drawbacks of third party reputation services:
> - when a widely used reputation service is wrong in a way that affects a
> large number of sites, whereas when a single site's criteria are wrong
> it only affects that site's recipients (and arguably the single site is
> more accountable for its actions).
> - when the reputation is based on something (like an address or address
> block) that isn't sufficiently fine-grained to reliably distinguish spam
> from ham, as compared to a site filter which has access to more criteria
> and can use the larger set of criteria to filter more accurately.

> Once again, the crucial issues seem to be transparency, accountability,
> granularity rather than the reputation reporting mechanism.  Which is
> not to say that the mechanism doesn't also warrant improvement.

On this we agree, more or less. But it seems to me that these goals  are far
more likely to be met with a set of standardized mechanisms than without.

				Ned
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf