North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Criminals, The Network, and You [Was: Something Else]
On Thu, Sep 20, 2007 at 01:31:41PM -0400, Sean Donelan wrote: > Why should an network user have to petition his or her ISP to authorize > their use of a valid network protocol? Because many (most?) ISPs have done such a poor job of controlling SMTP abuse outbound from their networks over the past decade that it's now a best practice to consider all mail from generic hostnames/dynamic IP space highly suspect -- at best. Those ISPs have repeatedly proven over many years that they aren't capable of detecting and squelching SMTP abuse sources on their own networks;  this leaves everyone else with a choice: either (a) put up with it or (b) devise measures to stuff a sock in it. And (a) simply isn't tenable for mail servers receiving abuse in torrential quantities. If any of those ISPs are unhappy with the choice of tactics encompassed by (b) then perhaps they should have anticipated that unhappiness years ago when they were first alerted to this problem. Had they taken even rudimentary steps to solve it (instead of merely having their spokesdroids repeat the bare-faced lie that they "take the spam problem seriously") then perhaps it would not have been necessary for others to devise methods to deal with their failures. If any network user is unhappy (and I can easily see why they would be), then he or she should take that up with their ISP, since it's quite likely that their own ISP has been a contributor to the problem. > Companies like DynDNS show there is user demand to operate their own > servers (including P2P servers, mail servers, web servers, dns servers, > etc) on dynamic IP addresses without needing a special "static" IP address > or different in-addr.arpa name. That model is no longer viable, unfortunately. I wish that weren't the case, but the combination of ISP and end-user negligence along with mass hijacking of end-user systems has rendered it so. > They even set up RBLs of mail servers without postmaster accounts. > Maybe we need a RBL of mail servers that don't accept mail from generic > in-addr.arpa or dynamic IP addresses. You are certainly free to set up a DNSBL or RHSBL using any listing criteria you wish, but please be aware that if you set up one using that particular criteria, anyone using it will likely be refusing a LOT of valid mail, including that of some very large organizations, since (as I said above) blocking such traffic has long since been established as a best practice. There are multiple DNSBLs, RHSBLs, and static lists which enumerate such hosts; for example, consider the Spamhaus PBL: http://www.spamhaus.org/pbl/index.lasso which relies in part on input from the ISPs themselves, and is one of the zones included in the comprehensive "zen" DNSBL zone published by Spamhaus. ---Rsk  I still adhere to the quaint/outdated/antique concept that everyone is responsible for making sure that their networks are not an operational hazard to everyone else's networks, and that they should plan, budget, staff, build, operate and train accordingly.