nanog mailing list archives
Re: marking dynamic ranges, was fixing insecure email infrastructure
From: Markus Stumpf <maex-lists-nanog () Space Net>
Date: Mon, 24 Jan 2005 22:29:49 +0100
(sorry, first reply to list lost due to wrong From)
In priciple, nothing. In practice, the rDNS is a mess and I don't know many people who think it's likely to get cleaned up enough that we can expect to put in all the MTA MARK entries.
If you look at your logfiles you will notice that > 95% of all legit mailservers already have working and individual revDNS. And it is not about adding MTA="no" records, "MTA=yes" is much more important. As of now for a lot of broadband users it is important if the ISP supports fastpath (disabled error correction) for online gaming and IP phones. In the future it may be important, if you want to run a mailserver, if the ISP supports revDNS. The DE zone (about 6 mio SLDs) had in July 2004 (thanks to Peter Koch who made the survey) about 140000 unique IP addresses used in MX records. Assume the same number of outgoing MTAs and you have a really low cost - compared to other methods - first approximation for solving a part of the spam problem and providing hints for methods like greylisting (it doesn't make too much sense to greylist a mailserver) or using it as a whitelist for automated block lists (quite a number of viruses is coming from legit mailservers as a result of forwards). The more TLDs you add to the set the better the ratio domain/IPs becomes as - at least in DE - a lot of DE domains, also have a compagnion domain in .COM, .NET, .ORG, .AT, ... that use the same mailservers. IMHO the spam solving "business" is becoming really twisted: Some methods are unacceptable because they cut off 0.001% of all mailservers (Africa + dynamic IP space; that problem could very easily be solved with a colocation or a relay for nearly no bucks per month at all). But 100% of all Internet users have to suffer each day, as 100 or 1000 times the number hosts compared to the number of legit mailservers can inject their crap to any mailserver they like and you have little chance to block them at SMTP level. And that means the costs have already been shifted to the recipient. But obviously we have passed the point-of-no-return and the antispam business is a big enough market share so that free-of-cost solutions (and I am not speaking of MTAMARK alone) that don't hurt the existing Internet Mail Infrastructure at all, are not of any interest to the big players, as they can't make money out of it. And all the others always have the same excuse: why should I spend some 10 minutes to 2 hours to add or fix something. I'll do it if 50 others already have done it. The answer is simple: it is very kewl to have a consistent, well behaving and clean network that you can show around to others like your appartment, your house or your freshly washed and polished car or bike. Another example: it is a matter of 2 minutes in 99% of all situations to fix a mailserver to send a proper and matching HELO string. What is your excuse that yours is still sending "localhost.localdomain" or "SL-2000-1.local" in contrast to what is proposed (but not required)? Isn't it your mailserver and don't you want it to look good and wellbehaved while talking to other mailservers all day long? \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin"
Current thread:
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet), (continued)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Eric Brunner-Williams in Portland Maine (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Adi Linden (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Steven Champeon (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Valdis . Kletnieks (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Dave Crocker (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Valdis . Kletnieks (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Suresh Ramasubramanian (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Steven Champeon (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Andre Oppermann (Jan 13)
- Re: marking dynamic ranges, was fixing insecure email infrastructure John Levine (Jan 13)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Markus Stumpf (Jan 24)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Suresh Ramasubramanian (Jan 24)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Markus Stumpf (Jan 25)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Valdis . Kletnieks (Jan 25)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Markus Stumpf (Jan 25)
- Re: marking dynamic ranges, was fixing insecure email infrastructure J.D. Falk (Jan 25)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Valdis . Kletnieks (Jan 25)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Markus Stumpf (Jan 25)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Suresh Ramasubramanian (Jan 25)
- Message not available
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Mark Andrews (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Owen DeLong (Jan 13)