Re: How I deal with (false positive) IP-address blacklists...

[John C Klensin <john-ietf@jck.com>]

--On Thursday, 11 December, 2008 10:24 -0800 Douglas Otis
<dotis@mail-abuse.org> wrote:

>...
> Rather than depending upon knowing the location of specific
> abusive sources, the Internet needs a registry of legitimate
> sources which includes contacts and IP address ranges.  Such a
> list should reduce the scale of the problem, and allow safer
> exclusions.  
>...

Doug,

Independent of much of the rest of this discussion (and a lot of
its tone, which I both sympathize with and deplore), that
suggestion takes us down exactly the path some of us most fear
and which some of the folks who have been posting read into the
use of blacklists in practice (whether that reading is
reasonable or not).

As soon as one starts talking about a registry of "legitimate"
sources, one opens up the question of how "legitimate" is
determined.  I can think of a whole range of possibilities --
you, the ITU Secretary-General, anyone who claims to have the
FUSSP, governments (for their own countries by licensing or more
generally), ICANN or something ICANN-like, "large email
providers", and so on.  Those options have two things in common.
Most (but not all) of them would actually  be dumb enough to
take the job on and they are all unacceptable if we want to
continue to have a distributed-administration email environment
in which smaller servers are permitted to play and people get to
send mail without higher-level authorization and certification.

While I freely admit that I have not had hands-on involvement in
managing very large email systems in a large number of years
now, I mostly agree with Ned that some serious standards and
documentation of clues would be useful in this general area.
But I see those as useful if they are voluntary standards, not
licensing or external determination of what is legitimate.  And
they must be the result of real consensus processes in which
anyone interested, materially concerned, and with skin in the
game gets to participate in development and review/evaluation,
not specifications developed by groups driven by any single
variety of industry interests and then presented to the IETF (or
some other body) on the grounds that they must be accepted
because anyone who was not part of the development group is
obviously an incompetent idiot who doesn't have an opinion worth
listening to.  

That has been my main problem with this discussion, and its
variants, all along.  While I've got my own share of anecdotes,
I don't see them as directly useful other than as refutations of
hyperbolic claims about things that "never" or "always" happen.
But, when the IETF effectively says to a group "ok, that is a
research problem, go off and do the research and then come back
and organize a WG", it ought to be safe for someone who is
interested in the problem and affected by it --but whose primary
work or interests lie elsewhere-- to more or less trust the RG
to produce a report and then to re-engage when that WG charter
proposal actually appears.  Here, the RG produced
standards-track proposals, contrary to that agreement, and then
several of its participants took the position that those
proposals already represented consensus among everyone who
counted or was likely to count.  Independent of the actual
content of the proposal(s), that is not how I think we do things
around here... nor is laying the groundwork for an official
determination of who is "legitimate" and who is not.

    john

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf