[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

[Stephanie Erin Daugherty]

Bill,

Thank you for the very insightful rebuttal to many of my arguments.

Bill Cole wrote:
> At 11:19 PM -0500 3/2/07, Stephanie Erin Daugherty wrote:
>
>> I'll agree that its a horrible idea. At one point, a DNSBL could 
>> effectively stop a lot of spam. Now, most DNSBL operators and DNSBL 
>> users have realized that the technology long ago ceased to be useful 
>> in stopping all but the most persistent and long-lived spam sources, 
>> and compromised hosts.
>
> That is not consistent with the evidence I have on hand.
>
> I deal with multiple receiving sites (corporate and microdomain) and 
> know of none where the CBL fails to reject over 2/3 of all SMTP 
> connections or has ever had a detectable false positive rate greater 
> than 1 per million rejections over a period of over a month, with the 
> false positives coming in very brief episodes (commonly describable as 
> the consequences of ill-considered NAT designs.) For most sites, the 
> reject rate is usually in the 75-80%.
>
My experience has been different, but then I'm not administering mail 
for a corporation or major provider either, so my experiences may not 
match yours. My own, admittedly non-scientific, findings have been that 
the more sophisticated spammers use compromised hosts almost immediately 
after they are compromised, or make multiple brute force attempts via 
various compromised hosts until they find one that's allowed to connect.
> I think that's an appealing story that does not always describe 
> reality. I know there are some providers who respond to listings, but 
> there are some who simply don't, and are unimpeded by that for years. 
> The entity formerly known as UUNet (finally seeming to clean up a bit 
> since the VZ acquisition,)  the 'new' AT&T (i.e. SBC,) Comcast, and 
> the Chinese Internet oligopoly seem impervious to the supposed 
> business  impact of DNSBL's.
>
Unfortunately, it doesn't always work, but systematically escalating a 
listing after each successive effort to negotiate with a provider has 
gotten the attention of some of these large providers in the past. 
Unfortunately, this is a big sharp stick that loses it's effectiveness 
every time it's used - as many mail administrators will usually locally 
white list any major provider that's blocked by a DNSBL they use, or 
will stop using a DNSBL that's willing to block major providers.

However, when this is judiciously applied, and coupled with pressure 
from the provider's own customers, it can work and has worked, at least 
to a degree, but it's a very extreme measure that can only be used in 
very extreme circumstances without major loss of a DNSBL's credibility 
(and therefore it's effectiveness).

Spews (IANS)  was  somewhat limited  in this regard,  because although 
they were  willing to escalate listings, they had such a reputation for 
doing so that most of it's users were hardcore spamfighters anyway, and 
not large mail sites.
>
> The UDP worked better when it was applied than anything in email can 
> because the news network is built on a fundamental building block of 
> explicit and strictly bilateral agreements to pass traffic. Sites that 
> have agreements with everyone they accept mail from don't have major 
> spam problems.
>
You may have hit the nail on the head here as to why current solutions 
aren't working that well, and maybe that's an approach we should strive 
for - an email system built on consensual agreements.

--Stephanie