marking dynamic ranges, was fixing insecure email infrastructure

Markus Stumpf maex-lists-nanog at Space.Net
Mon Jan 24 21:29:49 UTC 2005

(sorry, first reply to list lost due to wrong From)

> In priciple, nothing.  In practice, the rDNS is a mess and I don't know
> many people who think it's likely to get cleaned up enough that we can
> expect to put in all the MTA MARK entries.

If you look at your logfiles you will notice that > 95% of all legit
mailservers already have working and individual revDNS.
And it is not about adding MTA="no" records, "MTA=yes" is much more

As of now for a lot of broadband users it is important if the ISP
supports fastpath (disabled error correction) for online gaming and
IP phones. In the future it may be important, if you want to run a
mailserver, if the ISP supports revDNS.

The DE zone (about 6 mio SLDs) had in July 2004 (thanks to Peter Koch who
made the survey) about 140000 unique IP addresses used in MX records.
Assume the same number of outgoing MTAs and you have a really low cost
- compared to other methods - first approximation for solving a part of
the spam problem and providing hints for methods like greylisting (it
doesn't make too much sense to greylist a mailserver) or using it as
a whitelist for automated block lists (quite a number of viruses is
coming from legit mailservers as a result of forwards).
The more TLDs you add to the set the better the ratio domain/IPs becomes
as - at least in DE - a lot of DE domains, also have a compagnion domain
in .COM, .NET, .ORG, .AT, ... that use the same mailservers.

IMHO the spam solving "business" is becoming really twisted:
Some methods are unacceptable because they cut off 0.001% of all
mailservers (Africa + dynamic IP space; that problem could very easily be
solved with a colocation or a relay for nearly no bucks per month at all).
But 100% of all Internet users have to suffer each day, as 100 or 1000
times the number hosts compared to the number of legit mailservers can
inject their crap to any mailserver they like and you have little chance
to block them at SMTP level. And that means the costs have already been
shifted to the recipient.

But obviously we have passed the point-of-no-return and the antispam
business is a big enough market share so that free-of-cost solutions
(and I am not speaking of MTAMARK alone) that don't hurt the existing
Internet Mail Infrastructure at all, are not of any interest to the
big players, as they can't make money out of it.
And all the others always have the same excuse: why should I spend some
10 minutes to 2 hours to add or fix something. I'll do it if 50 others
already have done it.
The answer is simple: it is very kewl to have a consistent, well behaving
and clean network that you can show around to others like your appartment,
your house or your freshly washed and polished car or bike.

Another example: it is a matter of 2 minutes in 99% of all situations
  to fix a mailserver to send a proper and matching HELO string. What is
  your excuse that yours is still sending "localhost.localdomain" or
  "SL-2000-1.local" in contrast to what is proposed (but not required)?

Isn't it your mailserver and don't you want it to look good and wellbehaved
while talking to other mailservers all day long?


SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

More information about the NANOG mailing list