[Asrg] draft-irtf-asrg-bcp-blacklists-04

[Douglas Otis]

This represents an improvement over the prior draft.  However there  
are recommendations that will not endure evolving bad-actor  
strategies, and opinions expressed about block-list automation that is  
wholly wrong for the same reason, evolving bad-actor strategies.

It is understandable for a draft to speak to a constituency of  
supporters.  In this case, the supportive audience appears to include  
bulk senders and ISPs.  After all, these two groups are dramatically  
affected by the operation of block-lists intent at mitigating abusive  
behavior.  Unfortunately, a few recommendations being made in this  
draft can not be characterized as a best practice.

Most predominately:
,---
| 2.2.3.  Removals SHOULD Be Prompt
|
| ...
|
| A DNSBL MAY impose restrictions on who (e.g. network operator's
| representative or domain name owner) may make valid removal requests.
| However, in many DNSBLs this is inadvisable because it requires
| impractical amounts of effort and is hence NOT RECOMMENDED in most
| cases.
'___

Limiting interaction to owners of an address space or domain limits  
with whom the DNSBL operator interacts.  In this perspective, such a  
requirement reduces the efforts required of a responsible DNSBL  
operator.  Since few if any DNSLB operators can observe more than a  
small percentage of the traffic showing signs of abuse, the role  
automation might play is extremely limited.  Such automation should be  
seen as a short-term strategy in response to the proliferation of spam  
sent with the aid of bot-nets.  Unfortunately, a growing percentage of  
bad-actors utilizing bot-net services also take advantage of millions  
of 0wned systems to rapidly discover which email destinations are  
monitored.

Even when a large number of new destinations on divergent networks are  
added, more than 30% of today's bad-actors now able to quickly avoid  
these new destinations due to automated listing and delisting  
practices.  As a result, automated listing and delisting now leads to  
spam trap blindness.  Something that causes blindness can hardly be  
characterized a best practice.  Without supporting evidence, bad- 
actors are then free to continue spamming.  Only the ISP or domain  
owner are able to fully monitor the situation and ensure the detected  
abuse stops.  Direct interaction with end-users by DNSBL operators is  
seldom productive, and automation is ultimately not practical at  
achieving their desired goals.

Remove the sentence:

: However, in many DNSBLs this is inadvisable because it requires
: impractical amounts of effort and is hence NOT RECOMMENDED in most
: cases.

and the subsequent paragraphs--

: Many DNSBLs can effectively use a "no questions asked" removal policy
: because by their very nature they will redetect or relist problems
: almost immediately.  They can mitigate more organized attempts to
: "game" the system by elementary checking and rate-limiting
: procedures, increasing lockout periods, rescans etc.  Furthermore, a
: few IP addresses more or less usually do not make a significant
: difference in the overall effectiveness of a DNSBL.  Moreover, a "no
: questions asked" removal policy provides the huge benefit of a swift
: reaction to incorrect listings.
:
: As an example, one popular DNSBL uses a "no questions asked" removal
: policy, but does perform rate-limiting and malicious removal
: detection and mitigation.
:
: Another important consideration supporting a "no questions asked"
: self-removal policy is that it forestalls many conflicts between
: DNSBL operators and organizations whose IP/domain addresses have been
: listed.  Such a policy may be an effective measure to prevent small
: issues from becoming big problems.

Section 2.2.1 also attempts to sell the flawed concept of listing  
automation:

2.2.1.  Listings SHOULD Be Temporary
...

Remove item 3 since automation of block-listing is increasing  
defeated.  Shortly this strategy will need to be abandoned.

:3. Automated DNSBLs with highly effective detection and fast listing
:  mechanisms can benefit from very short expiration intervals.
:  Many of the things that these DNSBLs look for are of relatively
:  short duration, and even if they do expire, a resumption of the
:  behaviour will be caught quickly by the DNSBL's detection
:  mechanisms and relisted.  By utilizing a short expiration
:  interval, after reassignment/problem correction, the listing will
:  automatically expire in short order without manual intervention.

We are currently revising the role automation plays in our offerings.   
Even content filtering is becoming less effective.  Perhaps within a  
few short years, traditional prophylactic mechanisms will become  
dramatically less effective.  If anything, reliance upon automation  
and content filtering serves to better educate bad actors, and  
ultimately make the Internet more dangerous.  Although this is not  
something ISPs and bulk senders want to hear, only network providers  
are able to properly deal with the growing and increasingly dangerous  
problem.  The bad-actors managing bot-nets of hundreds of millions of  
0wned systems no longer represent a cottage community of individuals  
or sales staff with somewhat questionable ethics.

This draft is painting a distorted picture that may have been valid a  
decade ago, but no longer represents what might be a best practice  
moving forward.  Taking out sections that represent Feel-Good rhetoric  
about automation.   Striking this failing strategy would greatly  
increase the contribution this draft might make in finding better  
solutions moving forward.

-Doug