Re: Schneier: ISPs should bear security burden
[In the message entitled "Re: Schneier: ISPs should bear security burden" on May 1, 12:25, "Jay R. Ashworth" writes:]
Ok, so here's a question for your, Dave:
do you have a procedure for entertaining requests to be excluded from your replies from people with legitimate needs to operate MTA's, who have been given (let us say) static addresses by their providers which fall within a range you understand to be dialup?
(I'm assuming you include cable and DSL end-user address pools; this is the sort of thing I'm asking about.)
Of course, Jay. First off, static addresses don't belong on the DUL (unless the ISP chooses to list them). Second, any address can be removed by the ISP (even if it is a /32 in the middle of an otherwise all dynamic /16). End-users are directed to have their ISP contact us, as we *do not* take the end-users word for it. A quick note to dul@mail-abuse.com will get it handled. --
In article <m1DSI5v-008i6YC@rdaver.bungi.com> you write:
[In the message entitled "Re: Schneier: ISPs should bear security burden" on May 1, 12:25, "Jay R. Ashworth" writes:]
Ok, so here's a question for your, Dave:
do you have a procedure for entertaining requests to be excluded from your replies from people with legitimate needs to operate MTA's, who have been given (let us say) static addresses by their providers which fall within a range you understand to be dialup?
(I'm assuming you include cable and DSL end-user address pools; this is the sort of thing I'm asking about.)
Of course, Jay.
First off, static addresses don't belong on the DUL (unless the ISP chooses to list them).
Second, any address can be removed by the ISP (even if it is a /32 in the middle of an otherwise all dynamic /16). End-users are directed to have their ISP contact us, as we *do not* take the end-users word for it.
A quick note to dul@mail-abuse.com will get it handled.
Actually I think there are multiple classes in DUL. 1. unfilter addresses dynamic 2. unfilter addresses static 3. ISP filtered addresses dynamic 4. ISP filtered addresses static Most people using DUL for blocking want to detect the unfiltered addresses. Filtered address space poses no more risk than any space not on the DUL and may infact pose less risk as you know that requires a deliberate act by the ISP to allow outgoing SMTP connections. Whats needed is two lists. One for the unfiltered and a second for the filtered addresses. The second one can be used as a white list for those who insist on using name-patterns to block addresses. We already have evidence in this thread of one person using DUL as a white list. By continuing to lump filtered and unfiltered addresses together you are throwing out the baby with the bath water. I don't see the need to distinguish between static and dynamic address. All address space can be classes as static / dynamic depending upon the time frame the address use is measured over. Mark
Mark_Andrews@isc.org (Mark Andrews) writes:
By continuing to lump filtered and unfiltered addresses together you are throwing out the baby with the bath water.
the smtp protocol was designed in a time when ~Mbit/sec connections did not yet exist, and ~10Kbit/sec connections cost many thousands of dollars per month, and were used only by people who could prove membership in an established meatspace trust fabric ("i have a gov't research contract") and whose hosts cost hundreds of thousands, or millions, of dollars, each having dedicated technical staff. expecting the same protocol to be used when ~Mbit/sec connections are held by hundreds of millions of uneducated users with hundred-dollar hosts is absurd. but in spite of enhancements like EHLO and AUTH, most internet e-mail is sent with the same level of authentication/confidence as before. the natural market outcome is to throw a lot of babies out with bathwater. see http://www.isc.org/personalcolo/ for the longer version of this rant, and just know that i reject ~many spams a day by refusing all mail from SBC's DSL blocks, with ~few false positives. that's SBC, alone. if you want different bathwater, it is available. there are still high-rent neighborhoods with high default expectations of the quality of traffic emanating from same. live in one, or at least rent a mailbox in one. asking people to accept e-mail from DSL networks is absurd, since they would have to act against their own best interests, and they ~know it. -- Paul Vixie
participants (3)
-
dlr@bungi.com
-
Mark Andrews
-
Paul Vixie