Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)

Matthias Leisi <matthias@leisi.net> Sun, 09 November 2008 17:41 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A61693A681A; Sun, 9 Nov 2008 09:41:44 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1B7B3A681A for <ietf@core3.amsl.com>; Sun, 9 Nov 2008 09:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.189
X-Spam-Level:
X-Spam-Status: No, score=-9.189 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, RCVD_IN_DNSWL_HI=-8, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GFssp5kdHIWk for <ietf@core3.amsl.com>; Sun, 9 Nov 2008 09:41:42 -0800 (PST)
Received: from mail.leisi.net (trillian.net.astrum.ch [213.144.132.251]) by core3.amsl.com (Postfix) with ESMTP id 0FE673A6816 for <ietf@ietf.org>; Sun, 9 Nov 2008 09:41:42 -0800 (PST)
X-Spam-ASN: AS13030 213.144.128.0/19
X-Spam-Relays: trusted= untrusted=[ ip=213.144.132.250 rdns=marvin.net.astrum.ch helo=verleihnix.local by=mail.leisi.net ident= envfrom= intl=0 id=7B916E5753 auth= msa=0 ] internal= external=[ ip=213.144.132.250 rdns=marvin.net.astrum.ch helo=verleihnix.local by=mail.leisi.net ident= envfrom= intl=0 id=7B916E5753 auth= msa=0 ]
X-Spam-Hammy: 0.000-+--H*u:2.0.0.17, 0.000-+--H*UA:2.0.0.17, 0.000-+--UD:dnswl.org, 0.000-+--H*UA:20080914, 0.000-+--H*u:20080914
X-Spam-Spammy: 0.927-+--conjunction
X-Spam-LastExternal: ip=213.144.132.250 rdns=marvin.net.astrum.ch helo=verleihnix.local
X-Spam-DNSWL: YES RCVD_IN_DNSWL_HI
Received: from verleihnix.local (marvin.net.astrum.ch [213.144.132.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.leisi.net (Postfix) with ESMTP id 7B916E5753; Sun, 9 Nov 2008 18:41:31 +0100 (CET)
Message-ID: <491720CB.7010601@leisi.net>
Date: Sun, 09 Nov 2008 18:41:31 +0100
From: Matthias Leisi <matthias@leisi.net>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; de; rv:1.8.1.17) Gecko/20080914 Thunderbird/2.0.0.17 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Keith Moore <moore@network-heretics.com>
Subject: Re: Last Call: draft-irtf-asrg-dnsbl (DNS Blacklists and Whitelists)
References: <20081108184543.26372.qmail@simone.iecc.com> <4915ED75.9000509@network-heretics.com> <45AEC6EF95942140888406588E1A66020413DD9E@PACDCEXCMB04.cable.comcast.com> <49167AF6.8020101@network-heretics.com> <491688BA.7060906@nortel.com> <49171925.9020201@network-heretics.com>
In-Reply-To: <49171925.9020201@network-heretics.com>
X-Enigmail-Version: 0.95.7
OpenPGP: id=7CA2FE89
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

[Disclosure: I am the leader of the dnswl.org project; I provided some
input into the DNSxL draft as far as it concerns whitelists.]

Keith Moore schrieb:

> These incidents happen one at a time.  It's rarely worth suing over a
> single dropped message, and yet the aggregate amount of harm done by IP
> based reputation services is tremendous.

I would not want to reduce the situation to blacklists only. You use the
correct term - IP based reputation services - but fail to mention that
this includes whitelists, and that decisions other than "drop" can be
made based upon data returned by such services.

Regarding the "dropped message": While outside the scope of the DNSxL
draft, it is pretty much consensus that messages should not be dropped
in the sense of deleted or "stored in a seldomly reviewed quarantine
folder", but that a clear SMTP 5xx error code should be returned.

DNSBLs in conjunction with SMTP 5xx error codes actually increase the
value of the overall email system by enhancing it's reliability.

> receive.  But they're not as likely to know about messages that they
> never receive because of false positives, so of course they're less
> likely to complain about them.  And the cost (to sender or recipient) of
> a message blocked for bogus reasons can be far higher than the cost to
> the recipient of a spam.   

I believe it is generally agreed that false positives are the main risk
with spam filter solutions. This applies both to individual tools like
DNSxLs and to the "filtering machine" as a whole as perceived by the
recipient (and the sender). No automated solution can guarantee the
absence of false positives.

On the other hand, the manual solution is far worse in terms of false
positives, in my experience - the human error rate is pretty high when
eg a spammy inbox must be reviewed manually.

It is true that many spam filter solutions are short on "ham rules"
which would offset erroneous (or bogus, as you chose to call it) "spam
rules". The reason is obvious: most ham rules would be trivially to
forge for a spammer -- something which is not practical with IP
addresses. That's why IP addresses are so important for spam filter
decisions, both for black- and for whitelisting.

> And the relative number of complaints is not
> a reliable indicator of those costs.

It's probably the best indicator available?

-- Matthias, for dnswl.org
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf