Re: comments on refuse
Matthew Elvey <matthew@elvey.com> Sat, 06 August 2005 22:11 UTC
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j76MBGmJ055152; Sat, 6 Aug 2005 15:11:16 -0700 (PDT) (envelope-from owner-ietf-mta-filters@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j76MBGnM055151; Sat, 6 Aug 2005 15:11:16 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-mta-filters@mail.imc.org using -f
Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j76MBFwd055144 for <ietf-mta-filters@imc.org>; Sat, 6 Aug 2005 15:11:16 -0700 (PDT) (envelope-from matthew@elvey.com)
Received: from frontend3.messagingengine.com (frontend3.internal [10.202.2.152]) by frontend1.messagingengine.com (Postfix) with ESMTP id 02EDECC95B8; Sat, 6 Aug 2005 18:11:13 -0400 (EDT)
X-Sasl-enc: 0prTojWuodlQ4yNCIWpvInOBUa0BdsU+8qV4861Twume 1123366272
Received: from [192.168.2.98] (adsl-209-76-222-121.dsl.snfc21.pacbell.net [209.76.222.121]) by frontend3.messagingengine.com (Postfix) with ESMTP id F0D361E1; Sat, 6 Aug 2005 18:11:11 -0400 (EDT)
Message-ID: <42F53583.8050205@elvey.com>
Date: Sat, 06 Aug 2005 15:11:15 -0700
From: Matthew Elvey <matthew@elvey.com>
User-Agent: Mozilla Thunderbird 1.0+ (Macintosh/20050712)
MIME-Version: 1.0
To: ietf-mta-filters@imc.org, Alexey Melnikov <Alexey.Melnikov@isode.com>
Subject: Re: comments on refuse
References: <200508041245.j74Cj4Ri008008@lab.smi.sendmail.com> <20050805181935.GB8460@nostromo.freenet-ag.de>
In-Reply-To: <20050805181935.GB8460@nostromo.freenet-ag.de>
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-mta-filters@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-mta-filters/mail-archive/>
List-ID: <ietf-mta-filters.imc.org>
List-Unsubscribe: <mailto:ietf-mta-filters-request@imc.org?body=unsubscribe>
I'd like to solve the spam problem (see www.rhyolite.com/anti-spam/you-might-be.html ) but we're just proposing a small improvement to SIEVE, that will help in a small but significant way reduce resource usage, but doesn't require changes that break existing Sieve or SMTP implementations. That implies some serious constraints! 'Refuse' only claims to be _less_ likely to result in backscatter to an innocent victim. It is not 'discard', or CSV (the 'best' spam remedy, IMO - see http://wiki.fastmail.fm/index.php/Certified_Server_Validation) or BATV. On 8/5/05 11:19 AM, Michael Haardt sent forth electrons to convey: > On Thu, Aug 04, 2005 at 05:45:04AM -0700, Philip Guenther wrote: > >> draft-ietf-sieve-refuse-reject-00 justifies the 'refuse' extension >> based on a claimed ability to reduce the amount and/or likelihood >> of joe-job spam. By my reading, there is only a reduction in amount >> by replacing one or more MDNs (one per recipient using 'reject') >> with one DSN and no reduction in likelihood. This is not consistent with what you say later; I think you've misunderstood the spec. 'Refuse' will replace one notification with another in a small fraction (my estimate: 10% of the time(a few % due to the exception in section 3, a few % due to 5xx errors to unidentified or unblocked relays, etc.) ; certainly << 100%) of the time it acts. My estimate implies a 90% reduction in backscatter for those replacing reject with refuse. >> While a message that >> is refused by all recipients can indeed be refused at the SMTP-level >> at the final dot, a DSN will still be generated unless the message >> was received directly from the submitting software by the SMTP-based >> sieve implementation. I find that this exception is actually a common case, accounting for >> 17% of mail delivery attempts. And in this case, neither an MDN nor a DSN is generated. (The research paper at http://www.ceas.cc/papers-2005/120.pdf confirms that some 17% of mail delivery attempts these days are made from SMTP malware that can't even retry, and hence almost certainly can't create DSNs either) >> That doesn't apply when open relays ("open >> proxies" in the draft) are involved Let me know if I need to explain the difference between open relay and open proxy and how each is used by spammers to send spam. I believe that most mail servers on the Internet do not accept mail from identifiable open relays and open proxies at all, and for them 'refuse' has no impact on backscatter. Supporting argument: Most such systems are on blacklists such as [http|socks|smtp|web].dnsbl.sorbs.net (see http://www.us.sorbs.net/using.shtml for definitions; MAPS and others have similar lists among their offerings). In particular they are on the blacklists that a consensus of reports state have the lowest risk of being used to block non-spam (that is, even lower risk than the SBL blacklist, which protects half a billion mailboxes) and hence are the most widely used. When such blacklists are used, mail is often blocked before sieve even sees the message. Blocking could occur at EHLO or earlier, such as at a border firewall. >> or if the sieve implementation >> is behind any MTAs that don't synchronously pass-through messages. >> A careful reading of the draft will show that such implementations cannot support the refuse extension. Please reread the draft and let me know if this is not clear. (Section 3, first paragraph) > > You are correct, but as a matter of fact, I do receive quite a bunch > of spam right from the sending host (spam companies or compromised (?) > dial-up systems) to a single recipient. I have no numbers, though. > > IMHO, messages should be refused at the earliest possible point. I do not > like that refuse is not defined that way, leaving open where that point > is for a specific system. OK, I agree with you here. Now we just have to come up with wording to make this clearer in the draft. Also, I have noticed that most drafts addressing spam have weak language such as: "The handling of such messages is at the discretion of the verifier or final recipient." -DKIM draft ( http://ietf.org/internet-drafts/draft-allman-dkim-ssp-00.txt ) or "... system MAY choose to reject or discard email on the basis of local policy... The actual policy decisions are outside the scope of this document." - http://spf.pobox.com/spf-draft-200406.txt (SenderID has very similar language.) Then again, CSV has somewhat stronger language: "...caution is required. The receiving SMTP server might: - Generate an SMTP session error, as suggested below. - Mark the message, to indicate that it failed validation. - Place the message into a special queue, for separate handling." CSV CSA draft ( http://mipassoc.org/csv/draft-ietf-marid-csv-csa-02.html#anchor4 ) Would you be satisfied if I added this at the beginning of section 3?: "Messages should be refused at the earliest possible point." [Alexey: I am going to steal back the virtual edit baton, OK? Or have you already started making edits? IIRC you are holding it.] > I would prefer an action like "refuse at the > earliest point, and if that means bouncing, then bounce it". How exactly does what you prefer differ from the action as I defined it in the current spec? The current spec indicates (several times!) that bouncing is a last resort and lists several negative side effects. > As it is, > we have reject, which always bounces, and refuse, which always refuses. > I have to remember which system offers what for avoiding bounces where > possible. > Backwards compatibility is a #1$@%. I expected there would be multiple objections if I tried redefining reject, which is the only reason I haven't tried. > >> - shouldn't "open proxies" be "open relays"? This is a reference >> to MTAs that relay without limits, right? >> > > Open proxies may be correct. For one, there is a bunch SOCKS proxies. > For another, there are many MTAs that do not count syntax errors > or enforce SMTP synchronisation points, thus being vulnerable to HTTP > proxies being used to CONNECT to port 25. Sending spam through open > relays has become a little old-fashioned. > "Open proxies" is correct. With "open relays", the sentence doesn't make sense. > Michael > > P.S.: Alexey: 3042bisv4 gets a belated nod from me.
- comments on refuse Philip Guenther
- Re: comments on refuse Michael Haardt
- Re: comments on refuse Matthew Elvey
- Re: comments on refuse Alexey Melnikov