Criminals, The Network, and You [Was: Something Else]
rsk at gsp.org
Sat Sep 22 13:17:17 UTC 2007
On Thu, Sep 20, 2007 at 01:31:41PM -0400, Sean Donelan wrote:
> Why should an network user have to petition his or her ISP to authorize
> their use of a valid network protocol?
Because many (most?) ISPs have done such a poor job of controlling SMTP
abuse outbound from their networks over the past decade that it's now
a best practice to consider all mail from generic hostnames/dynamic
IP space highly suspect -- at best.
Those ISPs have repeatedly proven over many years that they aren't capable
of detecting and squelching SMTP abuse sources on their own networks;  this
leaves everyone else with a choice: either (a) put up with it or (b) devise
measures to stuff a sock in it. And (a) simply isn't tenable for mail
servers receiving abuse in torrential quantities.
If any of those ISPs are unhappy with the choice of tactics encompassed
by (b) then perhaps they should have anticipated that unhappiness years
ago when they were first alerted to this problem. Had they taken even
rudimentary steps to solve it (instead of merely having their spokesdroids
repeat the bare-faced lie that they "take the spam problem seriously")
then perhaps it would not have been necessary for others to devise
methods to deal with their failures.
If any network user is unhappy (and I can easily see why they would be),
then he or she should take that up with their ISP, since it's quite
likely that their own ISP has been a contributor to the problem.
> Companies like DynDNS show there is user demand to operate their own
> servers (including P2P servers, mail servers, web servers, dns servers,
> etc) on dynamic IP addresses without needing a special "static" IP address
> or different in-addr.arpa name.
That model is no longer viable, unfortunately. I wish that weren't the
case, but the combination of ISP and end-user negligence along with mass
hijacking of end-user systems has rendered it so.
> They even set up RBLs of mail servers without postmaster accounts.
> Maybe we need a RBL of mail servers that don't accept mail from generic
> in-addr.arpa or dynamic IP addresses.
You are certainly free to set up a DNSBL or RHSBL using any listing
criteria you wish, but please be aware that if you set up one using
that particular criteria, anyone using it will likely be refusing a LOT
of valid mail, including that of some very large organizations, since
(as I said above) blocking such traffic has long since been established
as a best practice. There are multiple DNSBLs, RHSBLs, and static
lists which enumerate such hosts; for example, consider the Spamhaus PBL:
which relies in part on input from the ISPs themselves, and is one
of the zones included in the comprehensive "zen" DNSBL zone published
 I still adhere to the quaint/outdated/antique concept that everyone
is responsible for making sure that their networks are not an operational
hazard to everyone else's networks, and that they should plan, budget,
staff, build, operate and train accordingly.
More information about the NANOG