jcurran@istaff.org (John Curran) writes:
... This would suggest that spam is pervasive largely because of the large number of insecure systems available for origination (via port 25 :-), not because of providers failing to close barn doors after the fact...
I don't know why it's taken me so long to come to a conclusion about this, especially since VJS has been making noises like this for a long time and I know enough to pay attention. So-called "broadband" user populations (cable, dsl, fixed wireless, mobile wireless) are full time connected, or nearly so. They are technically unsophisticated, on average. The platforms they run trade convenience for security, and must do so in order to remain competitive/relevant. Margin pressure makes it impossible for most "broadband" service providers to even catalogue known-defect customer systems or process complaints about them. Those facts are not in dispute. And so, today, I began rejecting all e-mail from all roadrunner, attbi, interbusiness.it, comcast, and rogers customers. And as I discover the next several thousand /16's which contain this kind of user community I will reject their e-mail also. MAPS DUL doesn't go nearly far enough, nor do any of its lookalikes, not even SORBS DUHL. You are all going to have to do this also, because the cost to you of keeping a list of which /32 is running malware at any given moment is too high when the numbers get into the millions, and even if your bots assume the worst (that is, don't even bother probing for malware) you'll still have to handle exception processing on the first spam (or the first few dozen spams). IETF MARID could be a scalable way of performing this mass e-mail rejection, and it could be a way that legit e-mail servers can live inside "broadband" address blocks rather than having to tunnel to <www.vix.com/personalcolo> or other clue-dense address space where technical sophistication is the norm... but I can't imagine that happening at all, let alone happening in 2004/2005. I was blind, but now I see. These netblocks are like foreign airports without metal detectors, and I've been handling the occasional transferring passenger (who's armed with things they shouldn't be) on an exception basis, including all kinds of per-incident damage, where what I need to do is land those planes outside my security perimeter and make them go through local metal detectors before they're allowed to transfer onto planes I'm responsible for. MAPS or SORBS or somebody needs to set up a "BBL" (broad band list) which is just a list of "broadband" customer netblocks, with no moral/value judgement expressed or implied. If it's complete and updated frequently, I'd pay for a feed because of all the work it would save me personally and in my dayjob. (Apropos of JCurran's comments above, it wouldn't matter if netblocks on this "BBL" disabled outbound TCP/25, or not, so, they probably just wouldn't, but, they probably aren't going to, no matter whether a "BBL" exists or not.) The new motto here is: "Blackhole 'em all and let market forces sort 'em out." -- Paul Vixie