[Asrg] mail security

Ian Eiloart iane at sussex.ac.uk
Fri Jan 23 05:16:49 PST 2009 


--On 23 January 2009 08:08:41 -0500 Rich Kulawiec <rsk at gsp.org> wrote:

> On Fri, Jan 23, 2009 at 11:00:26AM +0000, Ian Eiloart wrote:
>> Well, I don't think we have the staff capacity to do that.
>
> It's not really that difficult, if well-organized.  Having done this
> in practice for a number of years, I can report that my experience has
> been that nearly all such requests can be denied on inspection -- to
> the point where I've scripted much of it.  For example: all requests
> to whitelist the incompetently-managed and spammer-infested domain
> "yahoo.com" are automatically denied.  All requests to whitelist domains
> that have been placed in the local blacklist (which is done only after
> considerable study) are denied, since there is never any reason to
> delist any known spammer.  The ones that actually merit attention and
> might result in action are almost always transient, accidental cases:
> e.g., example.com is a long-time source of non-spam mail but fubar'd
> their DNS while making a change, and we need to exempt them from
> DNS checks while they work it out.

Yes, yes, yes. But I want to do something smarter that that, with more 
granularity. OK, I'm not going whitelist "yahoo.co.uk" or any of the other 
well known ESPs. However, I'm not going to spend staff time (there's me 
versus 16,000 users here) on determining whether foobar at yahoo.com is really 
a friend of barfoo at sussex.ac.uk

>
> One thing that's quite revealing is how many users ask for obvious
> phish domains to be whitelisted.  Were the process automated, without
> human review, any number of fake eBay and Chase and Visa &etc. domains
> would have long since been repeatedly whitelisted.
>
> I'm skeptical about the merits of doing per-address whitelisting, even
> though I do some of it.  On the one hand, it accomodates people who are
> stuck with poorly-run systems and networks.  On the other hand, it removes
> much of their motivation to agitate for a change in that situation.

I've a lot of sympathy with that. And, I currently don't do any 
whitelisting, and that's part of my reasoning. However, it does mean that 
spammers are making it harder to create working email communications 
systems, and that our anti-spam systems are often merely RFC compliance 
enforcement systems. I'd rather be fighting evil than incompetence!

> A compromise that I've used, some of the time, is to provide them with
> service, but slower/degraded service, and explain to them that I'd be
> delighted to extend to them the same privileges as others enjoy, but
> that their operation needs to step up the responsibility that goes
> along with that.  Sometimes this works, other times it fails.
>
> ---Rsk
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Asrg mailing list