Re: How I deal with (false positive) IP-address blacklists...
ned+ietf@mauve.mrochek.com Tue, 09 December 2008 18:46 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E65B128C0FD; Tue, 9 Dec 2008 10:46:27 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F231D3A6889 for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 10:46:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Td+tZ4+2FFNB for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 10:46:25 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by core3.amsl.com (Postfix) with ESMTP id 7CFC23A6810 for <ietf@ietf.org>; Tue, 9 Dec 2008 10:46:25 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N2VWXXYWS000MZ3N@mauve.mrochek.com> for ietf@ietf.org; Tue, 9 Dec 2008 10:46:17 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N2RLAAA64000007A@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Tue, 09 Dec 2008 10:46:13 -0800 (PST)
Date: Tue, 09 Dec 2008 09:39:49 -0800
From: ned+ietf@mauve.mrochek.com
Subject: Re: How I deal with (false positive) IP-address blacklists...
In-reply-to: "Your message dated Tue, 09 Dec 2008 08:00:11 -0800" <p06240813c56445e8883b@[10.20.30.163]>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-id: <01N2VWXW3J4M00007A@mauve.mrochek.com>
MIME-version: 1.0
References: <20081209061829.GA13153@mit.edu> <p06240813c56445e8883b@[10.20.30.163]>
Cc: Theodore Tso <tytso@MIT.EDU>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
> At 1:18 AM -0500 12/9/08, Theodore Tso wrote: > >This doesn't work for most people, but I had fun composing this > >response, and coming just a few weeks after people claiming that > >IP-based blacklists work well, and rarely result in false positives, I > >felt I just had to share. :-) > I don't understand. A site has a *local* blacklist: > > Delay reason: SMTP error from remote mailer after end of data: > > host rhun.apana.org.au [64.62.148.172]: 451-sender IP address 69.25.196.31 is locally blacklisted here. If you think > > 451 this is wrong, please call +61289874478. > Why do you think that this is relevant to the earlier discussion? That local > administrator could just as easily blocked your site by domain name. Sadly, it is no less relevant than many of the responses that were posted in the earlier thread. I was and continue to be somewhat appalled by the various types of sloppy thinking that have manifested during this discussion. First and foremost, personal anecdotes are not the best evidence. In fact they are barely evidence at all. For example, let me describe my latest blocked email episode. I run a small server that hosts a few users and some small mailing lists - 1000 members or thereabouts is about the largest list I have. I recently noted a bunch of addresses failing on one of my lists. Investigation revealed that I had run afoul of a local blacklist operated by a small ISP. I rarely bother to pursue such things because good outcomes are rare, but checking out their web site I thought they sounded reasonably clueful (references to rfc-ignorant.org and such), so I decided it was worth pursuing. I contacted them and was informed that while my address was clean, there was another address close by that was emitting spam that they had had to block. I asked them why they couldn't just block the specific address and was told they can only block entire ranges. And the minimum range size for them appears to be so large that the offending address isn't even associated with my ISP! Long story short, I've been screwed by an incompetently implemented local blacklist. Not to belabor the obvious, but this would not have happened had they opted to use, say, an appropriate Spamhaus list. (I checked and found my addres is not listed and the offending address is.) Nor would it have happened had they followed the implementation practices described in the DNSBL documents - they would have been able to block the offending address without blocking me as well. So does this personal experience mean that DNSBLs are a great idea? Of course it doesn't - it's just one case and probably representative of nothing. But the same hoids for all of the other personal anecdotes people have posted. Second, the fact that 10 years ago you set up sendmail for the computer club at your college doesn't make you an expert on modern large scale email systemms administration. The operational concerns for large-scale email setups today are very different from thost that would have applied to small scale setups a few years back. I'm not going to get into the insight real operational experience provides because I also lack the necessary operational experience to have an informed opinion. There are, however, several folks who do have experience with large scale email operations who have posted in this thread and others similar ones here. These are opinions that should be valued, especially when that experience doesn't jibe with your own. And yet the overall response to such postings has IMO been fairly dismissive if not outright condescending. Third, while it may be the case that large ISPs and MSPs appear to many to large, utterly impersonal edifices, the fact of the matter is that people do complain to them when they believe their email has been lost or even delayed. And the cost of handling complaints is considerable, which means that considerable effort goes into trying to minimize the amount of lost mail. (I have responded to or commmented on so many RFPs for improved filtering that cite "reduce customer complaints about false positives" that I feel entirely justified in making these assertions.) Mechanisms that have high false negative or positive rates are quickly abanndoned in practice, so the fact that many if not most large ISps and MSPS use DNSBLs really does count for something. So the next time you decide to post a message about how your poor Saintly Aunt Millie had a problem sending email to Uncle Harry a few years back and as a result DNSBLs (or whatever the email topic du hour is) suck ass now and forevermore, please do us all a favor and repurpose those electrons and instead send an email to the person you know who took a job at <randomlargeisp> and now runs their email setup asking for his or her opinion. You might even be surprised at what you hear. Ned _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
- How I deal with (false positive) IP-address black… Theodore Tso
- Re: How I deal with (false positive) IP-address b… Mark Andrews
- Re: How I deal with (false positive) IP-address b… Theodore Tso
- Re: How I deal with (false positive) IP-address b… Mark Andrews
- Re: How I deal with (false positive) IP-address b… Theodore Tso
- Re: Why the IETF is irrelevant to the future of e… John Levine
- Re: How I deal with (false positive) IP-address b… SM
- Re: How I deal with (false positive) IP-address b… Paul Hoffman
- Re: Why the IETF is irrelevant to the future of e… Peter Dambier
- Re: How I deal with (false positive) IP-address b… ned+ietf
- Re: How I deal with (false positive) IP-address b… Dave CROCKER
- RE: How I deal with (false positive) IP-address b… michael.dillon
- RE: How I deal with (false positive) IP-address b… ned+ietf
- Re: How I deal with (false positive) IP-address b… Peter Dambier
- Re: How I deal with (false positive) IP-address b… Dave CROCKER
- RE: How I deal with (false positive) IP-address b… michael.dillon
- RE: How I deal with (false positive) IP-address b… michael.dillon
- Re: How I deal with (false positive) IP-address b… Keith Moore
- Re: How I deal with (false positive) IP-address b… Dave CROCKER
- RE: How I deal with (false positive) IP-address b… Tony Hain
- Re: How I deal with (false positive) IP-address b… Dave CROCKER
- Re: How I deal with (false positive) IP-address b… ned+ietf
- Re: How I deal with (false positive) IP-address b… Keith Moore
- Re: How I deal with (false positive) IP-address b… Peter Dambier
- RE: How I deal with (false positive) IP-address b… michael.dillon
- RE: How I deal with (false positive) IP-address b… ned+ietf
- Re: How I deal with (false positive) IP-address b… Rich Kulawiec
- Re: How I deal with (false positive) IP-address b… Theodore Tso
- Re: How I deal with (false positive) IP-address b… Dave CROCKER
- Re: How I deal with (false positive) IP-address b… Paul Hoffman
- Re: How I deal with (false positive) IP-address b… Randy Presuhn
- Re: How I deal with (false positive) IP-address b… Keith Moore
- Re: How I deal with (false positive) IP-address b… Douglas Otis
- Re: How I deal with (false positive) IP-address b… John C Klensin
- Accountable Use Registry was: How I deal with (fa… Douglas Otis
- Re: Accountable Use Registry was: How I deal with… John C Klensin