North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: marking dynamic ranges, was fixing insecure email infrastructure
(sorry, first reply to list lost due to wrong From) > In priciple, nothing. In practice, the rDNS is a mess and I don't know > many people who think it's likely to get cleaned up enough that we can > expect to put in all the MTA MARK entries. If you look at your logfiles you will notice that > 95% of all legit mailservers already have working and individual revDNS. And it is not about adding MTA="no" records, "MTA=yes" is much more important. As of now for a lot of broadband users it is important if the ISP supports fastpath (disabled error correction) for online gaming and IP phones. In the future it may be important, if you want to run a mailserver, if the ISP supports revDNS. The DE zone (about 6 mio SLDs) had in July 2004 (thanks to Peter Koch who made the survey) about 140000 unique IP addresses used in MX records. Assume the same number of outgoing MTAs and you have a really low cost - compared to other methods - first approximation for solving a part of the spam problem and providing hints for methods like greylisting (it doesn't make too much sense to greylist a mailserver) or using it as a whitelist for automated block lists (quite a number of viruses is coming from legit mailservers as a result of forwards). The more TLDs you add to the set the better the ratio domain/IPs becomes as - at least in DE - a lot of DE domains, also have a compagnion domain in .COM, .NET, .ORG, .AT, ... that use the same mailservers. IMHO the spam solving "business" is becoming really twisted: Some methods are unacceptable because they cut off 0.001% of all mailservers (Africa + dynamic IP space; that problem could very easily be solved with a colocation or a relay for nearly no bucks per month at all). But 100% of all Internet users have to suffer each day, as 100 or 1000 times the number hosts compared to the number of legit mailservers can inject their crap to any mailserver they like and you have little chance to block them at SMTP level. And that means the costs have already been shifted to the recipient. But obviously we have passed the point-of-no-return and the antispam business is a big enough market share so that free-of-cost solutions (and I am not speaking of MTAMARK alone) that don't hurt the existing Internet Mail Infrastructure at all, are not of any interest to the big players, as they can't make money out of it. And all the others always have the same excuse: why should I spend some 10 minutes to 2 hours to add or fix something. I'll do it if 50 others already have done it. The answer is simple: it is very kewl to have a consistent, well behaving and clean network that you can show around to others like your appartment, your house or your freshly washed and polished car or bike. Another example: it is a matter of 2 minutes in 99% of all situations to fix a mailserver to send a proper and matching HELO string. What is your excuse that yours is still sending "localhost.localdomain" or "SL-2000-1.local" in contrast to what is proposed (but not required)? Isn't it your mailserver and don't you want it to look good and wellbehaved while talking to other mailservers all day long? \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin"