IETF Logo Mail Archive

Re: How I deal with (false positive) IP-address blacklists...

ned+ietf@mauve.mrochek.com Tue, 09 December 2008 18:46 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E65B128C0FD; Tue, 9 Dec 2008 10:46:27 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F231D3A6889 for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 10:46:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Td+tZ4+2FFNB for <ietf@core3.amsl.com>; Tue, 9 Dec 2008 10:46:25 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by core3.amsl.com (Postfix) with ESMTP id 7CFC23A6810 for <ietf@ietf.org>; Tue, 9 Dec 2008 10:46:25 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N2VWXXYWS000MZ3N@mauve.mrochek.com> for ietf@ietf.org; Tue, 9 Dec 2008 10:46:17 -0800 (PST)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01N2RLAAA64000007A@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Tue, 09 Dec 2008 10:46:13 -0800 (PST)
Date: Tue, 09 Dec 2008 09:39:49 -0800
From: ned+ietf@mauve.mrochek.com
Subject: Re: How I deal with (false positive) IP-address blacklists...
In-reply-to: "Your message dated Tue, 09 Dec 2008 08:00:11 -0800" <p06240813c56445e8883b@[10.20.30.163]>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-id: <01N2VWXW3J4M00007A@mauve.mrochek.com>
MIME-version: 1.0
References: <20081209061829.GA13153@mit.edu> <p06240813c56445e8883b@[10.20.30.163]>
Cc: Theodore Tso <tytso@MIT.EDU>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

> At 1:18 AM -0500 12/9/08, Theodore Tso wrote:
> >This doesn't work for most people, but I had fun composing this
> >response, and coming just a few weeks after people claiming that
> >IP-based blacklists work well, and rarely result in false positives, I
> >felt I just had to share.   :-)

> I don't understand. A site has a *local* blacklist:

> >    Delay reason: SMTP error from remote mailer after end of data:
> >    host rhun.apana.org.au [64.62.148.172]: 451-sender IP address 69.25.196.31 is locally blacklisted here. If you think
> >    451 this is wrong, please call +61289874478.

> Why do you think that this is relevant to the earlier discussion? That local
> administrator could just as easily blocked your site by domain name.

Sadly, it is no less relevant than many of the responses that were posted
in the earlier thread.

I was and continue to be somewhat appalled by the various types of sloppy
thinking that have manifested during this discussion.

First and foremost, personal anecdotes are not the best evidence. In fact
they are barely evidence at all.

For example, let me describe my latest blocked email episode. I run a small
server that hosts a few users and some small mailing lists - 1000 members or
thereabouts is about the largest list I have. I recently noted a bunch of
addresses failing on one of my lists. Investigation revealed that I had run
afoul of a local blacklist operated by a small ISP. I rarely bother to pursue
such things because good outcomes are rare, but checking out their web site I
thought they sounded reasonably clueful (references to rfc-ignorant.org and
such), so I decided it was worth pursuing.

I contacted them and was informed that while my address was clean, there was
another address close by that was emitting spam that they had had to block. I
asked them why they couldn't just block the specific address and was told they
can only block entire ranges. And the minimum range size for them appears to be
so large that the offending address isn't even associated with my ISP! Long
story short, I've been screwed by an incompetently implemented local blacklist.

Not to belabor the obvious, but this would not have happened had they opted to
use, say, an appropriate Spamhaus list. (I checked and found my addres is not
listed and the offending address is.) Nor would it have happened had they
followed the implementation practices described in the DNSBL documents - they
would have been able to block the offending address without blocking me as
well.

So does this personal experience mean that DNSBLs are a great idea? Of course
it doesn't - it's just one case and probably representative of nothing. But the
same hoids for all of the other personal anecdotes people have posted.

Second, the fact that 10 years ago you set up sendmail for the computer club at
your college doesn't make you an expert on modern large scale email systemms
administration. The operational concerns for large-scale email setups today are
very different from thost that would have applied to small scale setups a few
years back.

I'm not going to get into the insight real operational experience provides
because I also lack the necessary operational experience to have an informed
opinion.

There are, however, several folks who do have experience with large scale email
operations who have posted in this thread and others similar ones here. These
are opinions that should be valued, especially when that experience doesn't
jibe with your own. And yet the overall response to such postings has IMO been
fairly dismissive if not outright condescending.

Third, while it may be the case that large ISPs and MSPs appear to many to
large, utterly impersonal edifices, the fact of the matter is that people do
complain to them when they believe their email has been lost or even delayed.
And the cost of handling complaints is considerable, which means that
considerable effort goes into trying to minimize the amount of lost mail. (I
have responded to or commmented on so many RFPs for improved filtering that
cite "reduce customer complaints about false positives" that I feel entirely
justified in making these assertions.) Mechanisms that have high false negative
or positive rates are quickly abanndoned in practice, so the fact that many if
not most large ISps and MSPS use DNSBLs really does count for something.

So the next time you decide to post a message about how your poor Saintly Aunt
Millie had a problem sending email to Uncle Harry a few years back and as a
result DNSBLs (or whatever the email topic du hour is) suck ass now and
forevermore, please do us all a favor and repurpose those electrons and instead
send an email to the person you know who took a job at <randomlargeisp> and now
runs their email setup asking for his or her opinion. You might even be
surprised at what you hear.

				Ned
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email