On Nov 30, 2017, at 10:28 , John Levine <johnl@iecc.com> wrote:
In article <B9B24A4F-B0B0-484E-9039-0F68556DE014@delong.com> you write:
Or, for a more empirical way to look at it, there's reasonable correlation between having missing, generic or incorrect reverse DNS and the host being a source of unwanted or malicious email.
I’m not so sure about that.
It's a one way correlation. If the rDNS is busted, you can be pretty sure you don't want the mail. If the rDNS is OK, you need more clues.
Pretty sure, but far from certain. Even this one-way correlation is rather tenuous. It’s mostly harmless because everyone knows that mail servers are filtering on this basis and legitimate senders therefore force themselves into workarounds. In an ideal world, I wouldn’t mind accepting email from Bj0rn’s laptop directly, but today, the price of doing so in SPAM is just too high, so I don’t. Fortunately for everyone’s sake, Bj0rn, while he may not like it, seems to find a way to send his email via some mechanism that allows me to receive it from a host that has working rDNS.
Unfortunately, until we get widespread deployment of something better than IP reputation based systems, ...
You might take a look at how current spam filters work. Spamassassin is as good an example as any. It does dynamic weigthted scoring of a lot of factors, of which IP reputation is only one. I find that I can use conservatively run IP blacklists as a cheap prepass to avoid sending the mail to spamassassin at all, but there's a lot more than IP by the time the mail does or does not get delivered. DKIM is useful if have opinions about the reputations of the signing domains, not purely by whether there's a signature.
Spamassassin is as good an example as any and while it can be effective if you’ve got the cycles to keep it constantly updated and fed with new information and…, it’s a rather large PITA for a small site with an admin that needs to count on most things running on autopilot most of the time in order to survive. So, while it might be a higher-quality solution, I’d argue that it’s not completely “better” in that any autopilotable configuration of it involves a high degree of false negatives or an unacceptable level of false positives.
Perhaps this is simply the inherent cost of maintaining an open communications infrastructure with a low barrier to entry and the potential for anonymous communications which I believe has value to society and should be preserved. Perhaps someone smarter than I will some day develop a better solution.
It seems to be an axiom that any community large enough to be interesting is large enough to contain people who are malicious, so even requiring that people be identified won't help.
People who want to be malicious are usually less willing to do so if they know that they will be identified, so actually, it does help. i.e. rarely to bank robbers sign their names to the robbery note. Owen